- Melissa Virus or Melissa Worm
- also known as "Mailissa", "Simpsons", "Kwyjibo", or "Kwejeebo", is a mass-mailing macro virus. As it is not a standalone program, it is not in fact a worm.
- was not originally designed for harm, but it overloaded servers and caused unplanned problems.
- was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites.
- original form was sent via e-mail to many people.
CREATED BY OR MADE BY:
- written by David L. Smith in Aberdeen Township, New Jersey, and named after a lap dancer he encountered in Florida.
- Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component.
- mith was sentenced to 20 months in a federal prison and fined $5,000 United States dollars.
- This arrest was a result of collaboration between the FBI, New Jersey State Police and Monmouth Internet.
- Smith would later go on to help the FBI in tracking down Jan de Wit, the Dutch creator of the Anna Kournikova Computer virus.
Virus specifications
- Melissa can spread on word processors Microsoft Word 97 and Word 2000 and also Microsoft Excel 97, 2000 and 2003.
- It can mass-mail itself from e-mail client Microsoft Outlook 97 or Outlook 98.
If a Word document containing the virus, either LIST.DOC or another infected file, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself.
When the macro mass-mails, it collects the first 50 entries from the alias list or address book and sends itself to the e-mail addresses in those entries.
- Melissa.U
This variant also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes.
C:\Command.com
C:\IO.SYS
C:\Ntdetect.com
C:\Suhdlog.dat
D:\Command.com
D:\Io.sys
D:\Suhdlog.dat - Melissa.V
- This is another variant of the original Melissa macro virus, and is akin to Melissa.U.
- It uses Microsoft Outlook, and tries to send itself to the first 40 addresses in Outlook's address book.
- The subject line of the infected e-mail sent out is: "My Pictures (
)", where is the name to whom the sender's copy of Microsoft Word is registered. - There is also a variant of the virus named Melissa.V/E which is known to seek and destroy Microsoft Excel documents, randomly deleting sets of data from files, or, at the worst, making them completely useless by applying a set of malicious Macro code. To simplify the code, the author has encrypted only a vectorial search pattern in it, so the virus can only delete linear sets of data, usually random rows or columns in a table. It also has a search parameter that makes it go only for unique sets of data, known to cause more damage.
A later edit of this variant makes backup copies of the destroyed files, and asks for a ransom of $100 to be transferred into an offshore account in return for the files. The account has been traced back to the owner. Due to a malfunction in code, in less than 1% of cases the code still makes copies. - This virus was rendered obsolete when it was discovered that it leaves visible traces in the Windows Registry, providing enough data to ensure its destruction and the retrieval of stolen data.
- A special version of this variant also modifies the backed-up data, fooling the user even more.
- It searches for numeric data inside the files, and then, with the help of a random number generator, slightly modifies the data, not visibly, but making it useless.
There is no body to the email, but there is an infected document attached. If this is opened, the payload is triggered immediately. - It tries to delete data from the following (local or network) destinations: F:, H:, I:, L:, M:, N:, O:, P:, Q:, S:, X:, and Z:.
Once complete, it beeps three times and then shows a message box with the text: "Hint: Get Norton 2000 not McAfee 4.02".
3. Melissa.W
- This is the same as Melissa.A.
4. Melissa.AO
- This is what the e-mails from this version contain:
subject: Extremely URGENT:
To All E-Mail User -
This announcement is for all E-MAIL user. Please take notethat our E-Mail Server will down and we recommended you to readthe document which attached with this E-Mail.Melissa.AO's payload occurs at 10 a.m. on the 10th day of each month. The payload consists of the virus inserting the following string into the document: "Worm! Let's We Enjoy."
2. Code Red (computer worm)
- It attacked computers running Microsoft's IIS web server.
- was first discovered and researched by eEye Digital Security employees Marc Maiffret and Ryan Permeh, and named it; CodeRed, because they were drinking Pepsi's Mountain Dew CodeRed over the weekend they analyzed it and because of the worms references to China.
- pecifically the worm code contained the phrase "Hacked By Chinese!" with which the worm defaced websites.
Code Red II
- is a variant of the original Code Red worm.
- it uses the same injection vector it has a completely different payload.
- It pseudo-randomly chose targets on the same or different subnets as the infected machines according to a fixed probability distribution, favoring targets on its own subnet more often than not.
- it used the pattern of repeating 'X' characters instead of 'N' characters to overflow the buffer.
eEye believed that the worm originated in Makati City, Philippines (the same origin as the VBS/Loveletter (aka "ILOVEYOU") worm).
How it worked?
- Exploited vulnerability
- The worm exploited a vulnerability in the indexing software distributed with IIS, described in MS01-033, for which a patch had been available a month earlier.
- The worm spread itself using a common type of vulnerability known as a buffer overflow.
- It did this by using a long string of the repeated character 'N' to overflow a buffer, allowing the worm to execute arbitrary code and infect the machine.
2. Worm payload
The payload of the worm included:
- waiting 20–27 days after it was installed to launch denial of service attacks on several fixed IP addresses. The IP address of the White House web server was among those. When scanning for vulnerable machines, the worm did not test to see if the server running on a remote machine was running a vulnerable version of IIS, or even to see if it were running IIS at all.
- Apache access logs from this time frequently had entries such as these:
- GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNN
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801
%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3 %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
3. Conficker worm
- also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008.
- uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
- the name Conficker is thought to be a portmanteau of the English term "configure" and the German word Ficker, which means "fucker."
- Microsoft analyst Joshua Phillips described the name as a rearrangement of portions of the domain name trafficconverter.biz, which was used by early versions of Conficker to download updates.
- The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta.
- While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009.
- Although Microsoft released an emergency out-of-band patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009.
- A second variant of the worm, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares.
- these were decisive factors in allowing the worm to propagate quickly: by January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million.
- Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker. Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.
- s spreading through networks at alarming rates.
- It's weapon: exploiting vulnerability called MS08-067 in Windows 2000, XP, and Server 2003.
- spreads via Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.
Operation
- almost all of the advanced malware techniques used by Conficker have seen past use or are well-known to researchers, the worm's combined use of so many has made it unusually difficult to eradicate.
- The worm's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities.
- Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.
Initial infection
- Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer.
- On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then attaches to svchost.exe.
- Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.
- Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.
- To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.
Payload propagation
- Variant A generates a list of 250 domain names every day across five TLDs.
- The domain names are generated from a pseudo-random number generator seeded with the current date to ensure that every copy of the worm generates the same names each day. The worm then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
- Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.
To counter the worm's use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains. - Variant D counters this by generating daily a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics.
- This new pull mechanism (which was disabled until April 1) is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the worm's peer-to-peer network.
- The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial of service attack (DDoS) on sites serving those domains.
- Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.
- Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability.
- Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.
- Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the worm is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads.
- To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.
Once this virus infects a computer it does a number of things including:
- Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
- Deletes the user's Restore Points.
- Registers a services called Netsvcs
- Creates scheduled tasks that execute all of the DLL files.
- Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
- Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
- Connects to external sites to download additional files.
Symptoms
- Account lockout policies being reset automatically.
- Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
- Domain controllers responding slowly to client requests.
- Congestion on local area networks (ARP flood as consequence of network scan).
- Web sites related to antivirus software or the Windows Update service becoming inaccessible.
- User accounts locked out
Response
- On 12 February 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker.
- Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, Inc., M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.
Armoring
- The hash is then RSA-signed with a 1024-bit private key.
- The payload is unpacked and executed only if its signature verifies with a public key embedded in the worm.
- Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits.
Self-defense
- Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.
- Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.
- An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.
End action
- Variant E of the worm was the first to use its base of infected computers for an ulterior purpose.
- It downloads and installs, from a web server hosted in Ukraine, two additional payloads:
- Waledac, a spambot otherwise known to propagate through e-mail attachments.
- Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.
- SpyProtect 2009, a scareware anti-virus product.
Removal and detection
- Microsoft has released a removal guide for the worm, and recommends using the current release of its Windows Malicious Software Removal Tool to remove the worm, then applying the patch to prevent re-infection.
Third-parties
- Third-party anti-virus software vendors McAfee, Panda Security, BitDefender, Enigma Software, ESET, F-Secure, Symantec, Sophos, Kaspersky Lab and Trend Micro have released detection updates to their products and are able to remove the worm.
Automated remote detection
- The peer-to-peer command protocol used by variants D and E of the worm has since been partially reverse-engineered, allowing researchers to imitate the worm network's command packets and positively identify infected computers en-masse.
Signature updates for a number of network scanning applications are now available including NMap and Nessus. - Also it can be detected in passive mode by sniffing broadcast domain for repeating ARP requests.
The Action or response of US CERT
- The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the worm from spreading through removable media.
- Prior to the release of Microsoft knowledgebase article KB967715, US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively.
- US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.
From that time on.....
- The ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the worm's domain generator.
- Those which have taken action include:
- By mid-April all domain names generated by the Conficker.A variant had been successfully blocked, rendering its update mechanism ineffective.
No comments:
Post a Comment