ADVISORY: April 1 Worm

Names
April 1 Virus (common name)
Net-Worm.Win32.Kido
Worm:W32/Downadup.gen (F-Secure)
Worm:Win32/Conficker (Microsoft)
Mal/Conficker (Sophos)
W32/Conficker.worm.gen (Symantec)

Classification
Malware - Worm

Distribution Methods
Shared media
Windows browser vulnerability MS08-067
Wireless hotspots

Effects
Timed virus with remote update capability
Most effects unknown

Description

Conficker, commonly referred to as the April 1 virus by the media, is a worm targeting computers running Windows XP and Vista. Symantec estimates that the virus has infected over one million PCs. The virus has been reported as difficult to detect as it does not affect the infected computer. The virus is programmed to "harden" by securing itself on infected computers, disabling Windows and possibly anti-virus software updates, and downloading patches to increase the difficulty of removal on April 1.

Warning

Variants of this worm have been confirmed to disable or prevent the execution of antivirus installation utilities.

Prevention

The vulnerability which enables infection from this worm has been patched by Microsoft. A strong software firewall, an up-to-date installation of anti-virus software and updated operating system should prevent infection from this worm.

Resources

If you have been infected by this worm, or would like additional information about this worm, please see the following references.

• F-Secure - Information and removal instructions


• Symantec - General information and removal instructions


• Microsoft - Extensive information for IT personnel.

Update: Source Analysis

I have been reading up on some of the analysis of the Conficker.C source code, such as the review posted here. Together with the information provided at the Microsoft link above, I am getting a picture of some of the defensive capabilities of the software, and some of the things that may happen on April 1, when the software begins dialing out for updates. According to the analysis, the worm uses the Windows Operating System's internal mechanisms just as a browser would to resolve domain names and connect to external patch servers. However, the virus generates a list of 50,000 domain names to hide the actual location of the software creators' site. This tells me two things. One, there may be network slowdowns on April 1 from the large amount of traffic, especially DNS lookups, and two, it should be possible for software firewalls to easily identify an unrecognized application accessing the operating system methods for DNS and network connections. If that is the case, users will likely have warnings and the ability to prevent the virus from dialing home if they have a properly configured software firewall on the infected computer.

Update: Fake Patches

It has been reported that some computers infected with the Conficker.C worm have been patched to close the vulnerability that allowed the initial infection by the virus itself. It is being theorized that this has two goals; it prevents detection of the virus while it is dormant, and it prevents the system from being infected by other viruses and malware that could interfere in it's operation.

Many sites are advising that the easiest test to confirm infection is to attempt to visit www.mcafee.com, as the virus runs processes intended to prevent access to that site, and sites from several other anti-virus companies.

Update: Much ado about nothing

As I predicted above, April 1 was pretty quiet, with no major disruptions resulting from this virus.

Configuring Your Server for IE 8

Originally posted on Web Pro World.

Microsoft Internet Explorer 8 is designed to be more standards compliant than previous versions. As a result, certain hacks in web sites can cause those sites to display incorrectly in Internet Explorer 8. This can be addressed by forcing browsers to render your site in what is called "compatibility mode". The following instructions detail how to enable compatibility mode site wide, if your site is hosted on an Apache server.

Setting Compatibility Mode for all visitors on Apache

Enabling compatibility mode on an Apache server requires the ability to create and edit .htaccess files, and mod_headers must be installed on the server. Most shared and dedicated hosting plans should allow this.

Simply add the following line to your .htaccess file.
Code:

Header set X-UA-Compatible "IE=EmulateIE7"

Setting Compatibility Mode for everyone but the webmaster

If you will be testing your site, and want your own browser to work without compatibility mode, you can specify certain IP addresses that will not be shown the header.

First, create a list of IP addresses that should not have compatibility mode. Add the following line to the .htaccess file, changing 1.2.3.4 to the appropriate address. Each IP address would require a seperate line.

SetEnvIf Remote_Addr 1.2.3.4 webmaster

This assigns the code "webmaster" to each specified IP address. Now, you would add the compatability header, telling it to display if the visitor has not been given the "webmaster" code. This is done by adding the following line to the .htaccess file after the lines you added above.

Header set X-UA-Compatible "IE=EmulateIE7" env=!webmaster

Everyone not from the specified IP address will be put in compatibility mode by default. Those visiting the site from the specified IP address(es) can enable compatibility if they want, but it will be disabled by default.

Setting Compatibility Mode on IIS 7

If you have administrative access to your IIS server, you can add new headers by following the instructions here: IIS 7.0: Add a Custom HTTP Response Header

The name you need to specify is "X-UA-Compatible" and the value is "IE=EmulateIE7" (without the quotes).

Setting Compatibility Mode on other platforms

If you can not use the above method for any reason, you can add compatibility mode to each page by adding the following meta tag:

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

Securing a Linux Workstation

There seems to be an attitude that if you want a secure computer, all you need to do is install Linux (or MacOS, which is based on Linux) and you are all set, as secure as can be. This is not entirely accurate. It is true that there are less viruses circulating that target Linux systems. However, this is because Linux workstations account for a small percentage of the Operating System landscape. The viruses and malware that do target Linux systems, however, can be extremely devastating and difficult or impossible to recover from without significant loss of data (possibly requiring a reformat of the computer).

Many people believe that in order to secure a Linux system, all you need to do is keep the applications that are installed patched and out of the root userspace, and configure the built in firewall, then you are good to go. This may be sufficient for some low-security web server situations. However, on a workstation these steps are inadequate at best. Even servers that are dealing with a high level of untrustable content (such as an FTP, SMTP or Peer-to-peer server or even chat server) should take additional precautions.

The first step is to install a strong antivirus application. Although there are less known viruses that affect Linux in circulation, there are more known Linux viruses in existance - most hackers got their start on Linux systems. And as viruses become more adaptable and the operating system landscape more varied, there will be more potential for cross-platform infections. There is already malware in circulation that specifically targets Linux systems for use in botnets, and the last line of defense is anti-virus software.

The next step is to install a strong two-way firewall. On a production workstation, the firewall built into Linux is insufficient. Although the firewall will prevent incoming connections, it does nothing to monitor outgoing traffic. This is an important step in detecting and preventing backdoor attacks.

Next, it is essential to make sure that only software and services that you will actually be using have been installed on the system. This requires going through the services list on Linux and removing anything you will not be using. Most Linux installers have gotten better at not installing extraneous packages. However, some installers still install Apache on workstations, or FTP servers on home PCs. If you won't be using it, it shouldn't be on your computer.

Finally, make sure you have enabled the automatic patch system that is part of your Linux distro. This utility will run in the background and alert you to important patches for your operating system and much of your software. These patches range from security updates to performance and stability fixes. Expect to be applying patches 1-2 times a month. With the background updater, many patches may be applied without you needing to take any action at all. Be aware, however, that the background patch utility may not handle all of the applications on your system. You may need to manually update other programs.

Hiding Server Version Information

The less information an attacker has about a system, the more work that attacker has to do to find possible exploits, and the more chances Intrusion Detection Systems, firewalls and administrators have to detect the attack and stop it.

Given the version numbers of services running on a Web server, an attacker has an advantage in that the attacker can simply look up known vulnerabilities for that software and immediately attack them, without tipping off defensive systems with unsuccessful attempts. If the version numbers are hidden, the attacker has to guess, and try a variety of attacks, any of which might activate defensive systems running on the server. The following steps will allow webmasters to remove certain identifying information from Linux based servers. Some of these steps may not work on shared web hosts.

How the Information is Found

Before we go into hiding the information, it may be helpful to briefly discuss how an attacker finds the information in question. When a file is requested from a web server, the server attaches information about the document, called "headers", to the file. These headers contain information about the server software and the communication protocols involved in transmitting the document. This information is hidden from most web users, but can be viewed using various browser plugins, such as Live HTTP Headers for Firefox. The following are some sample headers that a web site might send when serving a page to a user:

1. HTTP/1.1 200 OK
2. Date: Tue, 24 Mar 2009 14:44:38 GMT
3. Server: Apache/2.0.55 (FreeBSD) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8a
4. X-Powered-By: PHP/5.1.2
5. Expires: Thu, 19 Nov 1981 08:52:00 GMT
6. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
7. Pragma: no-cache
8. Connection: close
9. Transfer-Encoding: chunked
10. Content-Type: text/html; charset=ISO-8859-1
11. Content-Language: en-us

The important lines are 3 and 4, which contain the server and PHP version numbers. These give a potential attacker information about the Apache server, PHP engine and operating system.

Hiding the Information

The first step is to hide the Operating System information and Apache version numbers. This is very easy to do, and only requires the addition of a single line to the server configuration file or .htaccess file:

ServerTokens Prod

That simple line will change line 3 above into the following:

3. Server: Apache

That's it.

The next step is to hide the information about PHP. That is slightly more difficult. The following line in the server configuration file or .htaccess file will remove line 4 in the above example completely:

Header unset X-Powered-By

Using this directive requires that the mod_headers package be installed and enabled in Apache. In most systems, the module will be available.

Of course, if you really wanted to get tricky, you could add some fun headers as well.

Header set X-AspNet-Version "2.0.50727"
Header set X-Powered-By "ASP.NET"

This would make the server look to an attacker as though it were running ASP on a Linux system (which is not very likely).

Create a Secure Virtual Computer

There are many reasons you may want to create a secure, isolated test environment. You may need a place to check suspicious web sites and e-mails for viruses. You may need an isolated environment for forensic analysis of compromised hard drives. Or you might simply want a computer with all the default settings and software for testing web sites or applications without any development tools, addons, or other customizations affecting how the system works.
In these situations, the ideal solution is often the use of a virtual computer. This has several advantages over buying a dedicated computer for testing.
Advantages of Virtual Computers

• If the Operating System is compromised, the virtual computer can be reset with the flip of a switch.
• Because the virtual computer operates in a sandbox, the risk to your main system is limited.
• The virtual environment can be closer to a default installation, without any settings changes or background applications that you may have on your system affecting your tests.
  

Links
Download Microsoft Virtual PC
Download the Windows XP Test Image

Why Do People Hack?

A question I see asked frequently after a site is hacked is "why?" Why was this site targeted, why are sites in general hacked, what are the hacker's motivations? In my experience, people who attack web sites and servers tend to fall into three distinct groups.

For Profit

The first group compromises systems for profit. Their goal may be to steal information and ransom it back to the site owner, or to sell the information to other parties. They may instead use the mail systems on a compromised server to send spam, or as part of a network of compromised computers to spread malware. This is the most dangerous group because their activities have a financial cost to the owners of the compromised system, and attacks can often go undetected until it is too late.

For Recognition

The second group of attackers are the ones who compromise sites to gain recognition with other hackers. Their attacks are more obvious than those of for-profit attackers, because they want their attacks to be noticed. This is the group that defaces web sites, and frequently shares pirated software and media, which can also be used to build a reputation.

For Knowledge

The final group of attackers is the group that explores systems for the purpose of gaining knowledge and expanding their skills. Some find avenues to persue this as a hobby, either compromising sites to test their security with the permission of the owner of the site, or analyzing how different applications work and how they might be abused. This is the group that finds and reports many of the vulnerabilities that lead to patches and help keep information secure.