Conficker B is a rewrite of Conficker A with the following noticeable differences. First, Conficker A incorporates a Ukraine-avoidance routine that causes the process to suicide if the keyboard language layout has been set to Ukrainian. Conficker B does not include this keyboard check. B also uses different mutex strings and patches a number of Windows APIs, and attempts to disable its victim's local security defenses by terminating the execution of a predefined set of antivirus products it finds on the machine.
It has significantly more suicide logic embedded in its code, and employs anti-debugging features to avoid reverse engineering attempts. Conficker B uses a different set of sites to query its external-facing IP address www. It does not download the fraudware Antivirus XP software that version A attempts to download. Conficker's propagation methods vary among A and B and are described in Section Conficker Propagation.
Like Conficker A, after a relatively short initialization phase followed by a scan and infect stage, Conficker B proceeds to generate a daily list of domains to probe for the download of an additional payload. Conficker B builds its candidate set of rendezvous points every 2 hours, using a similar algorithm. But it uses different seeds and also appends three additional top-level domains. The result is that the daily domain lists generated by A and B do not overlap.
Both Conficker A and B clients incorporate a binary validation mechanism to ensure that a downloaded binary has been signed by the Conficker authors.
Figure 2 illustrates the download validation procedure used to verify the authenticity of binaries pulled from Internet rendezvous points. The procedure begins with Conficker's authors computing a bit hash M of the Windows binary that will be downloaded to the client.
The binary is then encrypted using the symmetric stream cipher RC4 algorithm with password M. Sig is then appended to the encrypted binary, and together they can be pushed to all infected Conficker clients that connect to the appropriate rendezvous point.
Once received, the client removes the digital signature and recovers M using N and the public exponent epub , which is also embedded in the Conficker client binary. The client then decrypts the binary using password M , and confirms its integrity by comparing its hash to M i.
If the hash integrity check succeeds, the binary is then stored and executed via Windows shellexec. Otherwise the binary is discarded. Both A and B use equivalent hash and encryption protocols, with the exception that B uses an expanded bit modulus, whereas A employed a bit modules. The public exponent epub and module N values from the Conficker A and B binaries is shown in Table 1.
ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly.
Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:. Click Start , type regedit in the Start Search box, and then click regedit. In the Value data box, type 4, and then click OK.
Exit Registry Editor, and then restart the computer. Note The Task Scheduler service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on Windows Vista and Windows Server because this step will affect various built-in Scheduled Tasks.
As soon as the environment is cleaned up, re-enable the Server service. Download and manually install security update MS For more information, visit the following Microsoft Web site:. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected.
If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.
After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun. If it was, rename the Autorun. Reset any Local Admin and Domain Admin passwords to use a new strong password.
In the details pane, right-click the netsvcs entry, and then click Modify. B, the service name was random letters and was at the bottom of the list. With later variants, the service name may be anywhere in the list and may seem to be more legitimate. To verify, compare the list in the "Services table" with a similar system that is known not to be infected. Note the name of the malware service. You will need this information later in this procedure.
Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.
Notes about the Services table. All the entries in the Services table are valid entries, except for the items that are highlighted in bold.
The highlighted, malicious entry that is supposed to resemble the first letter is a lowercase "L. In a previous procedure, you noted the name of the malware service.
In our example, the name of the malware entry was "Iaslogon. In Registry Editor, locate and then click the following registry subkey, where BadServiceName is the name of the malware service:.
Right-click the subkey in the navigation pane for the malware service name, and then click Permissions. In the Advanced Security Settings dialog box, click to select both of the following check boxes:. Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here. Best Antivirus. Antivirus for Android. Best Website Security. Website Checker.
WordPress Security. Free Web Hosting. Website Backup. Got more than 1 PC? Share this article:. Get Now! Resources Tutorials WordPress. The generated domain names were also shortened from 8 — 11 to 4 — 9 characters to make them more difficult to detect with heuristics.
Malware is one of the biggest threats on the Internet. This post provides information about different types of malware and you can know how to avoid them.
The shortened generated names are expected to collide with — existing domains each day, potentially resulting in a DDoS Distributed Denial-of-service attack on websites serving those domains.
Yet, the large number of generated domains and the fact that not every domain will be contacted for a given day will probably prevent DDoS situations. Besides the wonderful infection and propagation mechanisms, Conficker also has advanced self-protecting systems. DLL to block lookups of anti-malware-related sites. What websites are Vimm.
How to keep safe while using Vimm? Version D of Conficker also disables Safe Mode. Together with version E, version D also kills anti-malware by scanning for and terminating processes with names of anti-malware, patch, or diagnostic tools at one-second intervals. Moreover, each version of Conficker ends up updating itself to the next version or higher versions.
Especially, the final version of Conficker, version E, also downloads and installs malware payload, Waledac spambot and SpyProtect scareware. Though Conficker won't cause data loss to victims, it does increase the network payload of them greatly. Thus, the infected computers will experience slow network performance and it will influence the usage of them. Then, how to protect yourself from being infected by Conficker? Below suggestions are listed for your reference. If you are still using an old OS that is vulnerable to virus Conficker, the most urgent thing is to update Windows better to its newest version.
Therefore, you have shut down the backdoor for the malware. How to determine whether your system is vulnerable to Conficker or not? Generally, if you are using Windows 7 or later edition, you are safe from Conficker. If you are running a system earlier than Windows 7, especially with MS network service, you are probably to be infected by Conficker. Just update your OS will solve the problem! How to restore files from Avast Virus Chest?
How to delete a file from Avast Virus Chest? Since one of the spreading ways of Conficker is through USB flash media or shares, you are strongly recommended to pay attention to the removable devices you are going to connected to your computer and shared files you received you are going to open, especially the unauthorized devices and shares from strangers.
What should you do? Never use a USB or open a shared file?
0コメント