This story has been updated. See below for details.
The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.
For more information, listen to Larry Magid's audio interview with Perry.
Updated 7:50 p.m. PDT: Added that the software that's dropped onto computers is hiding behind a rootkit.
Security experts have long cautioned about the risk posed by the use of peer-to-peer file sharing by individuals working in corporations, warning that the practice creates holes that let malware in and sensitive data out.
Their message may be having an impact in the P2P development community.
A trade group representing peer-to-peer file sharing providers next week will publish a report that finds P2P software companies are modifying their programs in an effort to make it harder for users to inadvertently share sensitive information.
For corporate IT administrators, that shift can't come soon enough. The problem was highlighted by the recent news that avionics blueprints of President Obama's helicopter had leaked through a peer-to-peer network used by a defense contractor to an IP (Internet Protocol) address in Iran.
This isn't the first time sensitive data has trickled out via popular file sharing networks. Last summer, personal information of some 1,000 former patients of the Walter Reed Army Medical Center was believed to have been leaked via a peer-to-peer network. Sensitive health care and financial data has also been found on file sharing networks, according to studies from Dartmouth College and P2P network monitoring service provider Tiversa, which also uncovered the leaked presidential helicopter data.
Peer-to-peer use at ABN Amro and Pfizer led to the exposure of personally identifiable information of more than 20,000 consumers in 2007. And then there was the symbolic slap in the face when politicians called P2P networks a potential "national security threat" at a congressional hearing that summer.
This screenshot illustrates how a peer-to-peer file sharing network works.
(Credit: Tiversa) Employees: The weak link
The problem, experts say, is that employees are violating corporate policy by using P2P at work or on work laptops to download MP3 files, or they take the work laptop home and their children install file-sharing software on it.
Ninety-three percent of P2P disclosures in the enterprise are inadvertent, said Tiversa Brand Director Scott Harrer. "You can't really guard against human error," he said.
The problem is compounded by the fact that the employees also tend not to be savvy enough to configure the settings so as to protect files they don't want to share from being distributed.
"The default settings tend to err on the side of being more open than more closed," Mark Loveless, a research scientist at technology non-profit Mitre, said on Thursday. This mirrors the security-versus-usability trade-off that software and Web services providers, like Microsoft and Google, often find themselves making.
If the P2P user isn't careful in establishing a shared folder for other users of the file sharing network to access, sensitive files anywhere on the computer can be exposed. For instance, a user can inadvertently open up files in the "My Documents" folder or anywhere in the entire C: drive.
"There are methods to configure the software to only share from a particular directory," said Loveless. "But you're talking about someone who has problems, in many cases, using Microsoft Word or corporate e-mail, apps they've had training on. So I would not expect them to necessarily know how to go about that and correct it."
Beyond having default settings that err on the side of openness and not security, the software is also designed to circumvent firewalls and other attempts to block it, Loveless said.
"P2P programs will use encrypted and sophisticated protocols to be able to talk to the Internet and evade (network monitoring) tools," he said. "They'll use multiple ways to try to get out on the Internet, undetected."
Historically, P2P programs used one specific TCP/IP port for the traffic, but now they can pick a random port to use or they use Port 80, which is used for all kinds of Web traffic, thus thwarting administrator attempts to block P2P traffic by plugging the port, said Sam Hopkins, the co-founder and chief technology officer at Tiversa.
The software also has tricks to get access to files behind firewalls. If a user wants something that is on a computer that is located behind a firewall, the system can communicate behind the scenes to get a third computer to ask the firewall protected computer to send the file out to the seeking user, he said.
And some of the P2P programs can be buggy, particularly software written by young enthusiasts as opposed to paid professionals. Meanwhile, P2P files are being used to spread viruses and other malware to unsuspecting downloaders. For instance, a Trojan circulated on BitTorrent in January in pirated copies of iWorks 09.
There is also malware that can automatically scan a computer and when it finds a media file anywhere on the system it changes the P2P software configuration to share the entire drive the media file is in, Hopkins said.
Minimizing the risk
IT administrators need to have a written policy that specifies whether or not employees are allowed to use file sharing. And they need to use perimeter security software, including firewall and intrusion detection, "to lock down the ports used by P2P or to look for specific P2P network traffic," said Tony Bradley, director of security at Evangelyze Communications, a unified communications software and service provider.
Corporations also might consider encrypting sensitive information and using data loss prevention tools to block data leakage, experts said. And if they want to see if any of their data has found its way onto a P2P network, they can hire Tiversa to probe Gnutella, eDonkey and FastTrack file-sharing networks.
Tiversa probes the networks, searching for specific terms and lets customers know when it finds any data out there specific to that firm and helps pinpoint the source of the leak and stop it.
After lawmakers accused them of being part of the problem nearly two years ago, P2P providers and their trade group--the Distributed Computing Industry Association (DCIA)--formed a working group to figure out ways to minimize the risk for P2P users and their networks. The DCIA prepared a report dated Thursday on the Inadvertent Sharing Protection Compliance that lists guidelines for better protecting P2P users and percentages of its members who are following them.
The latest version of popular file sharing software, released earlier this year, LimeWire 5, includes a number of the suggested changes and served as a "poster child for compliance," said Marty Lafferty, chief executive of the DCIA.
The report shows 100 percent compliance with the guideline that recommends that default settings prohibit the sharing of user-originated files, while 57 percent of the respondents said they were complying with the guideline to offer a simple way for the user to disable the file-sharing functionality.
Other guidelines, with compliance percentages ranging from 29 percent to 71 percent, included requiring users to select individual files within a folder to share rather than sharing the entire folder, requiring the user to take affirmative steps to share sensitive folders and preventing the sharing of a complete network or external drive or user-specific system folder, such as "Documents and Settings." Among the guidelines are requirements for warnings to the user when particular settings might jeopardize security.
"We were concerned about user error in earlier versions of file sharing software where it was easier for users to make those mistakes," Hopkins said. "But a lot has been done to close those loopholes for the new versions."
(Credit:
Disney)
Teens and young adults interested in downloading High School Musical-related music and video on peer-to-peer networks should be wary of malware, warns Panda Security.
While this may be obvious to older computer uses, younger users may not yet have experience with the social engineering used by malware writers, the security vendor said Friday in a press release.
Social engineering is not new, of course, and its creators are constantly trying new ways to hook people in. The day after the U.S. presidential election, for example, there was a wave of Barack Obama-related video links that attempted to download malware as well.
If a person opens a High School Musical-themed video or song on any peer-to-peer network such as eMule or eDonkey, his or her computer may be infected with infected by VB.ADQ, the Agent.KGR Trojan, the adware Koolbar, or another strain of malicious code.
Panda recommends being cautious when downloading files. In particular, notice the file extension. Many of the malicious files have the extension ".exe," but that is rarely the case with a legitimate music or video file.
- prev
- 1
- next
