爱华网WORM_DOWNAD.AD
Arrival Details
This worm may be downloaded from remote sites by other malware. It may bedropped by other malware. It may also arrive bundled with malwarepackages as a malwarecomponent.It may also arrive via removable drives, network shares, or through avulnerability.
Installation
This worm drops the followingcopy of itself:
%System%{Random filename}.dll
It checks if the command line includes thestring RUNDLL32.EXE. If itdoes, this worm assumes it is running as a scheduled task. It theninjects itself to the legitimate processes SVCHOST.EXE and EXPLORER.EXE.
It is capableof exporting functions used by other malware. It sets the creationtime of the file similar to that of the creation time indicated inthe legitimate Windows file KERNEL32.DLL, which is alsolocated in the Windows system folder. It does this to prevent earlydetection as a newly added file on the affected system.
Upon execution, it creates arandom mutex and then elevate system privileges. It also creates asecond mutex based on the computer name of the affectedsystem.
It then checksif the operating system version of the affected system. If the wormis running on a Windows 2000 machine, it injects itself toSERVICES.EXE. If the affectedsystem has any of the following operating systems, this worminjects itself to SVCHOST.EXE:
Windows Server 2003
Windows Server 2003 R2
Windows XP
If the system is running under Windows Vista, it executes thefollowing command to disable autotuning:
netsh interface tcp setglobal autotuning=disabled
It also injects itself to the process SVCHOST.EXEto hook NetpwPathCanonicalize and avoid reinfection of an affectedsystem.
It may also drop a copy ofitself in the following folders:
%Application Data%
Default system directory
%Program Files%Internet Explorer
%Program Files%Movie Maker
%Temp%
This technique prevents it from dropping copies of itself onsystems it has already affected. It also locks its dropped copy toprevent users from reading, writing, and deleting it.
AutostartTechniques
This wormregisters itself as a system serviceto ensure its automatic execution at everysystem startup. It does this by creating thefollowing registry key(s)/entry(ies):
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices{Randomservice name}
Image Path = "%Windows%System32svchost.exe -knetsvcs""
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices{Randomservice name}Parameters
ServiceDll = "{Malware path and file name}"
It then locks the permissionsettings of the registry.
It creates the followingregistry entry to enable its automaticexecution every system startup:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
{Random characters} = rundll32.exe {System folder}{Malware filename}.dll, {Parameters}"
Other SystemModifications
This worm modifies thefollowing registry entries to disable certainservices:
Background IntelligentTransfer Service (BITS)
Windows Error ReportingService
Windows Security CenterService
Windows Automatic UpdateService
This worm modifies the registryentry to allow simultaneous networkconnections:
Propagation viaSoftware Vulnerabilities
This worm propagates in twoways from which they are achieved by taking advantage of avulnerability discovered in certain Microsoft operating systemsthat could allow remote code execution if an affected systemreceived a specially crafted RPC request, which also contains ashellcode.
Once this specially crafted RPC request reaches its targetvulnerable system, the shellcode is decrypted, and then retrievescertain APIs capable of downloading a copy of the worm from theaffected system, which is already converted into an HTTP server.The affected system then opens a random TCP port, allowing thevulnerable machine to connect to itself using the followingURL:
http://{IP address of the affected machine}:{Random portgenerated by this worm}/{Malware file name composed of randomcharacters}
During this exploit, a high traffic on TCP port 445 is seen sincethis is the port that this worm uses.
When the copy of the worm isbeing downloaded from the affected system to the vulnerable system,the worm modifies its packet header to make itself appear as aharmless .JPEG, .BMP, .GIF, or .PNG file, when in fact, it isactually an executable file. It does this to avoid detection by thenetwork firewall or system security applications. If an unpatchedsystem continues to receive malicious packets, the said system mayeventually crash. The downloaded copy of the worm is saved as X inthe Windows system folder.
It is also capable ofpropagating over the Internet by attempting to send the exploitcode to a random Internet address. It first broadcasts the openedrandom port that serves as an HTTP server so that it is accessibleover the internet. It then gets the external IP address of thesystem to check if it has direct connection to the Internet. Thisworm does the routine to launch the exploit code over the Internetif the affected system has a direct connection to the Internet bychecking the external IP address and the configured IP address inthe ethernet or modem driver.
It attempts toconnectcertain URLs to know the IP address of theaffected computer.Once theIP address is retrieved, it scans the entire block of IP addresses.For example, if the IP address of the infected system is10.10.10.1, it scans from 10.0.0.1 up to10.255.255.255. It then checks if the said IP address isvalid and is not a local IP address. It also checks if the externalIP address is the same with the configured IP address on thesystem. Note that this worm makes the random port it uses availableonline by broadcasting the port over the Internet via a SimpleService Discovery Protocol (SSDP) request.
Propagation viaRemovable Drives
This worm drops a copy of itself in all available removable andnetwork drives.
It drops a copy of itself in{Removable Drive}RecyclerS-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%dfolder. It also drops an AUTORUN.INF file to automatically executedropped copies when the drives are accessed. the said .INF filecontains random characters inserted to avoid easydetection.It also monitorsdrive access by creating a hidden window. When this event istriggered, it does the abovementioned routine.
Propagation via NetworkShares
This worm gets informationabout the affected system's configuration. It lists all servers ofthe specified type that are visible in a domain and if found, listsdown the available users for both local and servermachine.
It first enumerates theavailable servers using NetServerEnum API. Using this information,it then uses NetUserEnum API to gather the list of user accountsthen brute forces its way to the network using a dictionary attack.
Once it gains access on the machine, it will drop a copy of itselfin the Admin$System32 directory using a randomly named file. Uponsuccessful network propagation, a scheduledtask will be created in the %Windows%Tasks folder using theNetScheduleJobAdd API to be able to execute its droppedcopy. The scheduled time of execution on the created JOBfile is retrieved from GetLocalTime API. This scheduled task fileis detected by Trend Micro as TROJ_DOWNADJOB.A.
DownloadRoutine
This worm attempts to connect to certain URLs to download afile that indicates the location of the affectedsystem。It has a payloadthat attempts to download and update copy ofitself.
It checks the system time andproceeds with the generation of random domain names if the year is2009 and above and the month is January andabove.Itconnects tocertain URLs to get the currentdate. If the malware cannotget the date from 1 of the above mentioned Web site, it will usethe infected computer's date.
Based on the dates, it thencomputes for strings to generate URLs. After computing, it thenappends any of the following strings to the computedURLs:
.biz
.cc
.cn
.com
.info
.net
.org
.ws
It generates a set of URLs containing 250 random sites per daybased on the UTC time standard. For example, if the computed stringis abcdef, the worm then appends either .biz, ,info, .org, .net, or.com to the string so the resulting URL may either be abcdef.biz,abcdef.info, abcdef.org, abcdef.net, or abcdef.com.
This worm also checks if any ofthe Web sites generated is active. It then creates another threadto download and execute files. This routine also converts thehostname to IP address, which it uses as a parameter in the nextthread.
OtherDetails
This worm hooks the followingAPIs to filter out list of antivirus-related sites when beingaccessed on the Internet:
DnsQuery_A
DnsQuery_UTF8
Query_Main
Query_Main
When users attempt to access antivirus-related sites, it returns areply informing the user that the server isdown.It blocks access toWeb sites that contains any of the following strings, which aremostly related to antivirus programs:
ahnlab
arcabit
avast
……
symantec
trendmicro
windowsupdate
Affected Platforms
This worm runs on Windows 2000,XP, Server 2003, Vista 32-bit, and Vista 64-bit.
=======================================
Antivirus SolutionLink
Symantec Antivirus解决方案
TrendMicro Antivirus解决方案
PersonalNotes
透过这两年流行的一些病毒,我们可以看到如今流行病毒的趋势:
注册成迷惑人的系统服务,
自动从远端Download更新,
嵌入网页的IFRAME,
利用系统楼顶进行“零日”攻击
使用可移动存储设备的Autoplay传播,
还能使用字典攻击破解复杂度不高的密码获得权限,
当然还有利用一些传统的伎俩:修改注册表啊什么的……这个已经很普遍了……
针对这些趋势,我们需要在日常防毒中做到:
主机登录帐号的管理(密码复杂度,权限管理,局域网文件共享管理)
系统补丁的安装管理(如果相对电脑较多,则要考虑架设一台WSUSServer)
可移动存储设备管理(禁用USB接口或者使用资产管理软件禁用USB存储,禁止Autoplay)
防病毒软件的管理(防病毒软件组件更新,病毒库更新,防火墙管理)
公司人员的防病毒观念提升(这个非一日一夕之功,要潜移默化,但是仍然很难做到)
Internet入口处的防病毒管理(网关防病毒管理,架设专门的诸如IWSA,IGSA等网关防毒设备)
防病毒,还是平时要做好工作,防微杜渐,
否则真遇到病毒爆发的状况,那就真的是手忙脚乱,
死去活来搞定之后,还要想办法做个靓靓的Report跟上头解释得尽量好看一些,残念……
