WORM_DOWNAD.AD:应该是我见过最智能的病毒之一了...

WORM_DOWNAD.AD


Arrival Details

This worm may be downloaded from remote sites by other malware. It may bedropped by other malware. It may also arrive bundled with malwarepackages as a malwarecomponent.It may also arrive via removable drives, network shares, or through avulnerability.

Installation

This worm drops the followingcopy of itself:

%System%{Random filename}.dll


It checks if the command line includes thestring RUNDLL32.EXE. If itdoes, this worm assumes it is running as a scheduled task. It theninjects itself to the legitimate processes SVCHOST.EXE and EXPLORER.EXE.

It is capableof exporting functions used by other malware. It sets the creationtime of the file similar to that of the creation time indicated inthe legitimate Windows file KERNEL32.DLL, which is alsolocated in the Windows system folder. It does this to prevent earlydetection as a newly added file on the affected system.

Upon execution, it creates arandom mutex and then elevate system privileges. It also creates asecond mutex based on the computer name of the affectedsystem.

It then checksif the operating system version of the affected system. If the wormis running on a Windows 2000 machine, it injects itself toSERVICES.EXE. If the affectedsystem has any of the following operating systems, this worminjects itself to SVCHOST.EXE:

Windows Server 2003
Windows Server 2003 R2
Windows XP


If the system is running under Windows Vista, it executes thefollowing command to disable autotuning:

netsh interface tcp setglobal autotuning=disabled

It also injects itself to the process SVCHOST.EXEto hook NetpwPathCanonicalize and avoid reinfection of an affectedsystem.

It may also drop a copy ofitself in the following folders:

%Application Data%
Default system directory
%Program Files%Internet Explorer
%Program Files%Movie Maker
%Temp%


This technique prevents it from dropping copies of itself onsystems it has already affected. It also locks its dropped copy toprevent users from reading, writing, and deleting it.

AutostartTechniques

This wormregisters itself as a system serviceto ensure its automatic execution at everysystem startup. It does this by creating thefollowing registry key(s)/entry(ies):

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices{Randomservice name}
Image Path = "%Windows%System32svchost.exe -knetsvcs""


HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices{Randomservice name}Parameters
ServiceDll = "{Malware path and file name}"

It then locks the permissionsettings of the registry.

It creates the followingregistry entry to enable its automaticexecution every system startup:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
{Random characters} = rundll32.exe {System folder}{Malware filename}.dll, {Parameters}"

Other SystemModifications

This worm modifies thefollowing registry entries to disable certainservices:

Background IntelligentTransfer Service (BITS)

Windows Error ReportingService

Windows Security CenterService

Windows Automatic UpdateService

This worm modifies the registryentry to allow simultaneous networkconnections:

Propagation viaSoftware Vulnerabilities

This worm propagates in twoways from which they are achieved by taking advantage of avulnerability discovered in certain Microsoft operating systemsthat could allow remote code execution if an affected systemreceived a specially crafted RPC request, which also contains ashellcode.


Once this specially crafted RPC request reaches its targetvulnerable system, the shellcode is decrypted, and then retrievescertain APIs capable of downloading a copy of the worm from theaffected system, which is already converted into an HTTP server.The affected system then opens a random TCP port, allowing thevulnerable machine to connect to itself using the followingURL:

http://{IP address of the affected machine}:{Random portgenerated by this worm}/{Malware file name composed of randomcharacters}


During this exploit, a high traffic on TCP port 445 is seen sincethis is the port that this worm uses.

When the copy of the worm isbeing downloaded from the affected system to the vulnerable system,the worm modifies its packet header to make itself appear as aharmless .JPEG, .BMP, .GIF, or .PNG file, when in fact, it isactually an executable file. It does this to avoid detection by thenetwork firewall or system security applications. If an unpatchedsystem continues to receive malicious packets, the said system mayeventually crash. The downloaded copy of the worm is saved as X inthe Windows system folder.

It is also capable ofpropagating over the Internet by attempting to send the exploitcode to a random Internet address. It first broadcasts the openedrandom port that serves as an HTTP server so that it is accessibleover the internet. It then gets the external IP address of thesystem to check if it has direct connection to the Internet. Thisworm does the routine to launch the exploit code over the Internetif the affected system has a direct connection to the Internet bychecking the external IP address and the configured IP address inthe ethernet or modem driver.

It attempts toconnectcertain URLs to know the IP address of theaffected computer.Once theIP address is retrieved, it scans the entire block of IP addresses.For example, if the IP address of the infected system is10.10.10.1, it scans from 10.0.0.1 up to10.255.255.255. It then checks if the said IP address isvalid and is not a local IP address. It also checks if the externalIP address is the same with the configured IP address on thesystem. Note that this worm makes the random port it uses availableonline by broadcasting the port over the Internet via a SimpleService Discovery Protocol (SSDP) request.

Propagation viaRemovable Drives

This worm drops a copy of itself in all available removable andnetwork drives.

It drops a copy of itself in{Removable Drive}RecyclerS-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%dfolder. It also drops an AUTORUN.INF file to automatically executedropped copies when the drives are accessed. the said .INF filecontains random characters inserted to avoid easydetection.It also monitorsdrive access by creating a hidden window. When this event istriggered, it does the abovementioned routine.

Propagation via NetworkShares

This worm gets informationabout the affected system's configuration. It lists all servers ofthe specified type that are visible in a domain and if found, listsdown the available users for both local and servermachine.

It first enumerates theavailable servers using NetServerEnum API. Using this information,it then uses NetUserEnum API to gather the list of user accountsthen brute forces its way to the network using a dictionary attack.


Once it gains access on the machine, it will drop a copy of itselfin the Admin$System32 directory using a randomly named file. Uponsuccessful network propagation, a scheduledtask will be created in the %Windows%Tasks folder using theNetScheduleJobAdd API to be able to execute its droppedcopy. The scheduled time of execution on the created JOBfile is retrieved from GetLocalTime API. This scheduled task fileis detected by Trend Micro as TROJ_DOWNADJOB.A.

DownloadRoutine

This worm attempts to connect to certain URLs to download afile that indicates the location of the affectedsystem。It has a payloadthat attempts to download and update copy ofitself.

It checks the system time andproceeds with the generation of random domain names if the year is2009 and above and the month is January andabove.Itconnects tocertain URLs to get the currentdate. If the malware cannotget the date from 1 of the above mentioned Web site, it will usethe infected computer's date.

Based on the dates, it thencomputes for strings to generate URLs. After computing, it thenappends any of the following strings to the computedURLs:

.biz
.cc
.cn
.com
.info
.net
.org
.ws


It generates a set of URLs containing 250 random sites per daybased on the UTC time standard. For example, if the computed stringis abcdef, the worm then appends either .biz, ,info, .org, .net, or.com to the string so the resulting URL may either be abcdef.biz,abcdef.info, abcdef.org, abcdef.net, or abcdef.com.

This worm also checks if any ofthe Web sites generated is active. It then creates another threadto download and execute files. This routine also converts thehostname to IP address, which it uses as a parameter in the nextthread.


OtherDetails

This worm hooks the followingAPIs to filter out list of antivirus-related sites when beingaccessed on the Internet:

DnsQuery_A
DnsQuery_UTF8
Query_Main
Query_Main


When users attempt to access antivirus-related sites, it returns areply informing the user that the server isdown.It blocks access toWeb sites that contains any of the following strings, which aremostly related to antivirus programs:

ahnlab
arcabit
avast
……
symantec
trendmicro
windowsupdate


Affected Platforms

This worm runs on Windows 2000,XP, Server 2003, Vista 32-bit, and Vista 64-bit.

=======================================


Antivirus SolutionLink

Symantec Antivirus解决方案

TrendMicro Antivirus解决方案

PersonalNotes

透过这两年流行的一些病毒,我们可以看到如今流行病毒的趋势:

注册成迷惑人的系统服务,

自动从远端Download更新,

嵌入网页的IFRAME,

利用系统楼顶进行“零日”攻击

使用可移动存储设备的Autoplay传播,

还能使用字典攻击破解复杂度不高的密码获得权限,

当然还有利用一些传统的伎俩:修改注册表啊什么的……这个已经很普遍了……

针对这些趋势,我们需要在日常防毒中做到:

主机登录帐号的管理(密码复杂度,权限管理,局域网文件共享管理)

系统补丁的安装管理(如果相对电脑较多,则要考虑架设一台WSUSServer)

可移动存储设备管理(禁用USB接口或者使用资产管理软件禁用USB存储,禁止Autoplay)

防病毒软件的管理(防病毒软件组件更新,病毒库更新,防火墙管理)

公司人员的防病毒观念提升(这个非一日一夕之功,要潜移默化,但是仍然很难做到)

Internet入口处的防病毒管理(网关防病毒管理,架设专门的诸如IWSA,IGSA等网关防毒设备)

防病毒,还是平时要做好工作,防微杜渐,

否则真遇到病毒爆发的状况,那就真的是手忙脚乱,

死去活来搞定之后,还要想办法做个靓靓的Report跟上头解释得尽量好看一些,残念……

  

爱华网本文地址 » http://www.aihuau.com/a/25101012/126312.html

更多阅读

是戒烟最好最快的方法是什么? 中药戒烟最好的方法

是戒烟最好最快的方法是什么?——简介常吸烟的人突然戒烟就会出现烦躁不安、头昏头痛、失眠忧虑、咳嗽多汗、心率下降、食欲或体重增加等一系列的不适感。所以为了减少吸烟对自己和家人的危害,请尽量少抽烟或者去戒烟。是戒烟最好最

转载 Skinship是亲子关系最重要的一环 亲子关系的重要性

说的一点也没错原文地址:Skinship是亲子关系最重要的一环作者:坨坨mamaSkinship这个单词我一直以为是英语,但其实这个单词并不是真正意义上的英语,而是日语里的英语单词,最早指的是小孩刚生下来以后,就马上把他放到妈妈的胸前,让母子进行

2015是史上最易的高考?人大附中重铸辉煌? 人大附中实验小学

一。2015的北京高考成绩已经出炉,我的标题是“史上最易”用的问号,因为这个不会有结论的,我的一家之言是不好说是不是史上最易,但起码是史上最易的高考之一!看看上图的分数分布就可以看出,预测今年的清北线应该在694和695.而去年的清北线

声明:《WORM_DOWNAD.AD:应该是我见过最智能的病毒之一了...》为网友你只会花心分享!如侵犯到您的合法权益请联系我们删除