Tag Archives: Conficker

DoublePulsar exploit: victim devices are widespread

Last month the hacking group known as the Shadow Brokers made available a set of exploits (this appears to be their last remaining set). These exploits allegedly came from the NSA. A full list of the exploits is available here. Microsoft’s analysis of the exploits made which applies to their products and which security updates resolve them are available here.

What is DoublePulsar and how does it affect a system?
The exploit from this recently released collection which targets the Windows SMB Server component of Windows is known as DoublePulsar. It is a kernel mode (or ring zero (defined)) exploit which provides an attacker with full control over an affected system as well as providing a backdoor (defined).

It is also allows the execution of shellcode (defined) and the downloading of further malware. A complete list of it’s capabilities is available from Symantec’s analysis.

This threat is being called similar to the MS08-067 vulnerability from October 2008 which lead to widespread installation of the Conficker malware (which still persists today). That article estimates this vulnerability will be with us for many years to come. In my professional career I still see large numbers of servers and workstations not patched against the MS08-067 vulnerability even after all these years. The exploits made available by the Shadow Brokers have been made easy to use by others posting YouTube videos and documentation of how to use them. Security researchers are tracking the spread of this malware here , here and here.

How can I protect myself from this threat?
Preventing a compromise by this threat:

If your servers or workstations have Windows Server 2008 or Windows Vista (respectively) or newer installed, please install Microsoft’s security update MS17-010 as soon as possible. As a defense in-depth measure (defined)(PDF), please also consider blocking port 445 from being accessed externally (since this is unlikely to be the last SMB exploit we see).

Please note, Windows Vista systems are also no longer supported and you should consider upgrading (if you are not already in the process of doing so). Windows Server 2008 will be supported until the 13th of January 2020.

=======================
Update: 19th May 2017:
=======================
With the rapid propagation of the WannaCry ransomware, Microsoft made available the MS17-010 update for Windows XP, Windows Server 2003 and Windows 8.0. The updates for these out of support operating systems are available from Microsoft’s blog post.

Once the update is installed, if your servers or workstations have Window Server 2003 or Windows XP (respectively) installed, please block port 445 (the Windows SMB protocol port) from being accessed from an external network (as previously recommended by US-CERT and mentioned in a past blog post of mine).

In addition to blocking port 445 as mentioned above, I would also suggest the following:

If you can, segregate your vulnerable devices (including devices within your network perimeter) so they don’t expose the following ports:

  • TCP port 445 with related protocols on UDP ports 137-138
  • TCP port 139
  • Also disable SMBv1 (it’s a deprecated protocol)
  • Please also block the Remote Desktop Protocol (RDP) port 3389 (defined) at the entry point to your corporate to prevent the spread of this malware as recommended by the US CERT.

To check if your system has been compromised by Double Pulsar, you can use this tool.

Removing the threat from a compromised system:
You can remove the infection simply by shutting the system down since the malware does not persist after a reboot. You can then patch the vulnerability and block access to port 445 to prevent the malware from returning (both as mentioned above).

Thank you.

Removing Conficker in 2015

In early August a research paper was published by a team of Dutch researchers trying to determine the reasons why there are more than 1 million computers worldwide still infected with variants of the Conficker malware (others known as Downadup) more than 6 years after it began spreading.

The reasons appears to be that the infections are present on systems that are no longer maintained or are embedded systems that cannot easily be accessed to carry out the removal of the malware. In addition, ISPs (Internet Service Providers) around the world have worked with their customers to remove this malware. However while their efforts have paid off, when the malware is removed efforts are not made to patch the now cleaned up systems and they quickly become infected again.

The research paper also points out that 15% of the systems infected with GameOverZeus are also infected by Conficker. The security vulnerability (CVE-2008-4037, CVE defined) exploited by Conficker in order to propagate itself affects the following versions of Windows:

=======================
Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Vista (32 bit and 64 bit) with or without Service Pack 1
Windows Server 2003 (32 and 64 bit) Service Pack 1 and Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Serer 2008 (32 bit and 64 bit)
Windows Server 2008 for Itanium-based Systems
=======================

This security vulnerability was resolved by Microsoft with this security bulletin.

In order to assist with removing this malware from any systems I would like to offer the following advice:

=======================
For single computers used for home or small business use (up to a maximum of 5 computers):
=======================

  • If you don’t wish to continue using your old computer:
    Back up your important data to external media e.g. a USB jump/flash drive, an external hard disk or recordable CD/DVD. Computers than can run these above mentioned older versions of Windows should still have all that you need to back up your data e.g. USB ports and CD/DVD recording (burning) drives.
  • Responsibly dispose of your old computer and upgrade to a new computer. Follow the advice on the “Protecting Your PC” page to keep it free from malware.

=======================
If you want to continue using your old computer:
=======================

  • Disconnect the infected computer from the internet.
  • Using a malware free computer (e.g. a friends or a computer at an internet café) to download the Conficker Removal tool from Symantec. Bring the tool to the infected using an external hard drive, USB jump/flash drive, or CD/DVD. Run the tool by double clicking it.

The tool will remove all traces of the infection from the computer. I tested this tool on a Windows XP SP3 computer (disconnected from the internet) and it took just over 5 minutes to complete a full scan of the system.

  • If you suspect any other malware may be present on the infected computer, I would suggest using another computer to download any of the following free tools and transfer those tools as described above to the infected computer. Complete a full system scan with any of these tools.

I tested all of these tools using a Windows XP SP3 system not connected to the internet. All tools were able to complete scans without the assistance of an internet connection:

Microsoft Safety Scanner
Sophos Virus Removal Tool
Malwarebytes Anti Malware (free edition)

For Malwarebytes, the included definitions dated from June 2015 since no internet connection was available. Updating using this MBAM rules tool appeared to succeed but had no effect. The Microsoft and Sophos tools did not have this limitation.

  • Once the computer is free of malware, ensure the Window Firewall is turned on, re-connect the computer to the internet.
  • Visit Microsoft Update (for Window 2000, Windows XP and Server 2003 systems) to download and install all necessary security updates. Windows Vista and Windows Server 2008 systems can use the built-in Windows Update to download all necessary security updates.
  • Install anti-malware software that is compatible with your computer. Free and paid for software products are listed on this page. Corporate anti-malware software is listed here. Contact the manufacturer/vendor of the software to check it’s compatibility with your version of Windows if you are purchasing a paid for version. If an anti-malware product is not available for your version of Windows, disconnect the computer from the internet (to significantly reduce the possibility of malware infection) and consider purchasing a new computer sometime in the future at a time convenient to you.
  • If you wish, disconnect the computer from the internet (see the bullet point above about available anti-malware software). Continue using your computer as normal.

Update: 7th September 2015:
Please note that my suggestion to disconnect a Windows computer (that no longer receives security updates on a monthly basis) from the internet is an effective suggestion to reduce it’s risk of infection however air-gapping (defined) a device is not perfect solution.

If a device such as an external hard disk or USB flash/jump drive is connected to a computer not connected to the internet, it can still become infected if an infected file is present on this storage device and that file is transferred and loaded/opened on that computer.

To attempt to address some of the pitfalls of air-gapping I would recommend scanning all files that you intend to transfer using an up to date malware scanner or use VirusTotal.com (only for single or a small numbers of files, don’t upload files that contain private/sensitive data) before using files on older Windows systems to minimize the risk of malware infection. The link referenced above referring to air-gapped systems includes further advice which you may or may not decide to implement.

=======================

=======================
For computers for small businesses or larger businesses (more than 5 computers):
=======================
While the above steps to remove malware can be applied to any number of computers, the process becomes tedious and time consuming when more than 5 computers are infected. I would recommend seeking the assistance of qualified corporate IT security companies in your locality to perform a malware clean-up. Such companies generally offer a network security assessment and can provide on-going assistance to keep your network safe from security threats.

US-CERT has written an in-depth easily to follow guide with advice on how to remove the Conficker malware and prevent it from spreading further.
=======================

I hope that the above advice and resources are assistance to you in removing the Conficker malware from any Windows devices that you may have.

Thank you.