The BIPT (the telecom regulator has an official cyberalert service). Today it publishes information from the 25th of february with some general information and links.
on the official cert website of Belnet, the official CERT for the official infrastructure of Belgium there is nothing, although i can suppose that they have organised everything and are on permament standby and have been following up the conficker worm on a permanent excellent basis when they got alerts.
luckily you have this stupid idealist here collecting info wherever he can and making it also available for you.
Communication should be more important. And I am not saying this is perfect here, it is just something 'as is'. But it is still better than nothing.
By the way, there are enough things to do for others to participate in this adventure so if you have some minutes to spare a week for the good cause, contact me.
according to the research by the honeypot conficker is coded to be re-activated the day after the first of april and 4 days after the first of april (5 to 7 april according to the time clocks)
Maybe some people and networks will be april fools on these days if nothing happens the first of april but everything seems to activate the day after or during the weekend (holiday). It would be one of the best examples of social engineering.
We are seeing traffic coming here from all kinds of networks and so we see that they are looking for tools and techniques.
Are you preparing and prepared ?
Be sure, you never know what happens tomorrow (or this evening already)
Don't be the joke tomorrow on all the blogs and newslinks that went down because you thought it wouldn't happen (to you) ....
In analyzing the virus, engineers have found that Conficker uses an algorithm to determine a number of different domains to contact for further instructions beginning on April 1. The algorithm was used to determine the exact list of domains that would be used. OpenDNS recently added a feature which would block access to these domains: “We’ve teamed with Kaspersky Lab to identify those domains, and stop resolving them. This means if you’re using OpenDNS, Conficker will do your network no damage“. From a management perspective, this is a much less intensive solution than attempting to block the domains on your local DNS servers and dealing with the overhead involved.
While using OpenDNS might not be feasible for larger enterprises, this is a great solution for SMB’s and home users. I’ve used it personally for some time now; the amount of centralized control available and ease of use makes it extremely attractive. A wealth of reporting features are also available, including one to specifically identify requests to known malware sites (like Conficker). Steps still need to be taken to ensure that Conficker is identified and removed from your network, but this is a good way to ensure that if any instances go undiscovered, they won’t be able to cause further harm.
This is the latest paper that you should read to make preparations for tomorrow.
You should also follow http://isc.sans.org
and for a general idea http://www.certstation.com/flash/threatCon/threatCon.swf
and for your country or ASN Arbor Networks
if there are important developments, tools or news with which you can DO something, it will be published here in the coming 48 hours.
And if nothing happens, it was one of the best cyberstorm exercises ever held.
Nonficker Vaxination Tool
Conficker uses different global and local mutexes to ensure that only to most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.
We have developed our Nonficker Vaxination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.
- Open your favorite registry editor (e.g. Start->Run...->regedit.exe->ok)
- Go to registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionSvcHost
- Remove the "aaaaanonficker" from the "netsvcs" key
- Remove registry key and all sibling keys: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesaaaaanonficker
Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.
Both tools and source code can be downloaded here:
It is hard to identify files containing Conficker because the executable are packed and encrypted. When Conficker runs in memory it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.
The tool itself and the source code can be downloaded here:
Detecting Conficker Files and Registry
Despite other reports, the file names and registry keys Conficker.B and .C use are not random. They are calculated based on the hostname. We have developed a tool that you can run on your system to check for Conficker's Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.
It is at a very early development stage but usable. We would be grateful to benefit from your changes if you develop it further.
Tool and source code are here:
The Real Time Global Threat Monitor plots malicious and noteworthy event observations in real time as captured by Support Intelligence. Sign up to receive your Free 30 Day Trial of current suspicious activity on your network.
Conficker Data Sink Collector
|Internet Systems Consortium and leading researchers throughout the world have been analyzing and collecting data related to the Conficker worm. Data contained within this site is being made available to select organizations and individuals. |
If you are affiliated with a CERT, Internet Service Provider, law enforcement agency or are actively involved in anti-virus efforts you may qualify for free access to this data through this website. Please note that ALL requests for accounts on this system will be subject to verification and vetting.
There are thousands of them, but for dns.be and others owners of domainextensions it makes it possible to block those
The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.
Conficker.C Domain Collisions
Conficker.A and .B created 250 domains per day, from which they try to download updates. Conficker.C, unlike its predecessors, creates 50.000 domains per day. Furthermore, the length of Conficker.C domain names is only 4-9 characters, instead of 8-11 as variants .A and .B. The large number and the shorter domain length results in a lot of collisions with real domain names.
We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions. Figure 1 shows the number of collisions for each day.
The list of collisions as well as the list of Conficker.C domains for April can be downloaded here:
Here are our snort rules we created based on signatures generated with nebula that match the static shellcode:
Our proof-of-concept code is publicly available and can be downloaded from here. The output looks like this:
Could not send SMB request to 127.43.16.76:445/tcp.
127.99.100.2 seems to be infected by Conficker.
127.36.15.80 seems to be clean.
A windows python to exe build of the same tool is available here. Further, the nature of Conficker's server service shellcode can be exploited to detect infection attempts
How do I get My List of Infected and Infected Customer?
Sinkhole feed formats are usually provider specific but provide the same data. Sinkhole servers run by the Conficker Working Group to identify infected hosts and share the information with network operators. Data usually contains a timestamp and a source IP. Destination IP address is usually available, too. Source port information (to help with NAT or firewall logs) may be available in some feeds. The following are Conficker data providers we are working with.
Arbor Networks, ATLAS SRF
- Cost: free, ATLAS accounts are free, Conficker feeds are free and available to authorized representatives. Format is in CSV, IODEF, or Atom delivered over HTTP. Questions about how this information can be accessed can be sent to: email@example.com
Shadowserver Foundation Conficker Reports
- Cost: Reports are free and available to authorized representatives. Format is in CSV over email. Questions about how this information can be accessed can be sent to: firstname.lastname@example.org
- Cost: Free for NSP-SEC community members. Format is pipe-separated text delivered over HTTP with optional e-mail notifications. Questions about how this information can be accessed can be sent to: Contact email@example.com
ISC Security Information Exchange (SIE)
Support Intelligence, Inc.
- Cost: Reports are free and available to authorized representatives.
- Format: CSV over email
- Contact: firstname.lastname@example.org
The current community procedure is to register whatever domains are currently unregistered and point the nameservers to one of the Conficker sinkholes, so as to gain and keep control of the botnet as much as is possible.
Undoubtedly, some of these domains have already been registered. Domains that are already registered will need to be looked at to determine which of the various pidgeon holes they fit into:
- Registered by the botmaster(s)
- A legitimate registration
- Registered by a legitimate security researcher
- Registered by a script kiddie trying to gain control of part of the botnet (caveat: the binary file hosted on the domain must be signed by the people behind conficker).
Some things to take into consideration if a domain has already been registered:
- How long has the domain been registered for
- What other domains are registered by the registrant
- Are these other domains part of conficker as well
- Where does the domain point to (A records, NS records)
The action taken for the already-registered domains will be determined by who has the current registration.
A list of the domain names used by Conficker can be received by making a request from the mailing list. With these domains we ask that you take the following actions. More specific instructions on what to do with these lists can be gotten from the mailing list.
Register these domains, and utilize the attached DNS NS information to include in the registration information. This will allow the Conficker Coalition to track infected machines and providing reporting to infected parties.
You can reserve or remove the domains in this list from your TLD. This will effectively block anyone from being able to register these domains. The down side to this is that it will not provide any visibility into who is infected by this threat.
the list of domainextensions that are being used is this one
The algorithm produces a domain name set that is independent of Conficker A and B, and will overlap these other domain sets only in a rare coincidence. The name of each generated domain is 4 to 10 characters, to which a randomly selected TLD is appended from the following list of 116 suffix (mapping to 110 TLDs):
[ "ac" , "ae" , "ag" , "am" , "as" , "at" , "be" , "bo" , "bz" , "ca" , "cd" , "ch" , "cl" , "cn" , "co.cr" , "co.id" , "co.il" , "co.ke" , "co.kr" , "co.nz" , "co.ug" , "co.uk" , "co.vi" , "co.za" , "com.ag" , "com.ai" , "com.ar" , "com.bo" , "com.br" , "com.bs" , "com.co" , "com.do" , "com.fj" , "com.gh" , "com.gl" , "com.gt" , "com.hn" , "com.jm" , "com.ki" , "com.lc" , "com.mt" , "com.mx" , "com.ng" , "com.ni" , "com.pa" , "com.pe" , "com.pr" , "com.pt" , "com.py" , "com.sv" , "com.tr" , "com.tt" , "com.tw" , "com.ua" , "com.uy" , "com.ve" , "cx" , "cz" , "dj" , "dk" , "dm" , "ec" , "es" , "fm" , "fr" , "gd" , "gr" , "gs" , "gy" , "hk" , "hn" , "ht" , "hu" , "ie" , "im" , "in" , "ir" , "is" , "kn" , "kz" , "la" , "lc" , "li" , "lu" , "lv" , "ly" , "md" , "me" , "mn" , "ms" , "mu" , "mw" , "my" , "nf" , "nl" , "no" , "pe" , "pk" , "pl" , "ps" , "ro" , "ru" , "sc" , "sg" , "sh" , "sk" , "su" , "tc" , "tj" , "tl" , "tn" , "to" , "tw" , "us" , "vc" , "vn" ]
Dns.be has already proven twice since january 2009 that together with the FCCU and the justice department domainnames can be brought down at the root level if necessary or being blocked. I hope the same procedures will be in place tomorrow.
This means that if your computer thinks it is today the first or some hours into the second of april than the conflicker worm if it is infected will only activate at that time, even if you think it will only be tomorrow or that after tomorrow everything is over and done with (would be a big joke if conflicker changed the internal clock somewhere without showing it)
You should scan your network for the networktime and make sure that your timeservers are up and running and that your servers and computers have had a correction if needed.
One of the effects of conficker is that it scans on port TCP 445 for other exploitable machines (and port 139 but there is not so much of that).
The last couple of days the intensity of scanning on that port has steadily increased, even if it is not necessary conflicker or malware (bad configuration or false positives in monitoring machines).
D-shield from the Internet Storm Center shows the tendency for the last days
now for what is Belgium we can use the numbers of Arbor Networks (again) and we see that the scanning in Belgium is for the moment very high (not necessary conflicker)
this means that you better are sure that your firewall, IDS or other logging or networkdefensive installations don't log scanning on port 445 (except if you have enormous installations).
because they could become overloaded or could slow down everything untill the breaking point.
there is no point logging this, you will never be able to prosecute or clean up all the infected stations.
I repeat, see this as an exercise. How fast can you react, do people have addresses and procedures, eventually play a virtual game (we have 10 infected posts, how long to virtually block and clean them), our networkdefensive is cracking under the load, how long to keep it steady and get help from the others etc....
Off course it is the first of april, use a code word so that everybody in your team knows when you are not joking. Saying it won't be a joke won't be enough.
The result is that even if it turns out to be a joke, you have learnt some very important lessons and have trained your staff on how to react to a situation that will encounter some day or another. There is nothing better than trained staff. And it won't cost you a dime.
A study is a great word because you can't say that they have done some very profound examinations (network infrastructure, other links) nor can you say that they have written the report after careful critical consideration.
First the flash that we should all forget ; it is not about a 1000 computers that were all infected at the same time with obviously the same goal. Over a period of 2 years there were some computers that were connected to a malware (rogue securitysoftware) downloading site.
It is also possible that to continue his malicious business the malware creator has used these infections to give some documents and information or access to the intelligence services, China is still a dictatorship - whatever their modern looks.
It is not clear from the report that all these computers have been infected in the same way and that each infection had the same consequence. The NATO computer that is cited in each press report is in fact an unclassified one and was only infected during a half a day. There are far more important computers that were infected with this malware that aren't making the headlines (and embassies of a lot of countries are already being used since long time as infected distributors of malware).
Secondly instead of concentrating on the attacking sites, one should be astonished by the total lack of security in an organisation that should know that it will be under permanent attack by all means by a very powerful opponent. If the organisation had at least some more security paranoia and awareness its confidential documents would not have been on unprotected workstations or they would have seen earlier that their mailserver had been compromised. They are not heroes because they called in the experts, they are losers because they did so so late in the game.
This should be warning to every institution and organisation that has some information to protect from others. You adapt yourself to this totally unsecure environment or you lose. Point final. And this means taking the steps and investing the money and having the real and digital guards protecting your assets, whatever they are.
This is the only reason why this report is interesting. For the rest it is quite unfinished and the Tibetian organisations should adapt themselves to this dangerous online environment and distrust everything they can't trust.
links to be found at the twitter.com/belsec
So the Intelligence community believes that BT was taking a national security risk by using a Chinese ex-military controlled switch product huawei for the national upgrade of their infrastructure. The big problem is that this is also the case for the intelligence, military and governmental agencies that are using or connected to that network.
They wanted parts of those Chinese switches to be changed, but the government refused citing "problems with competition law".
When is that more important than national security of critical infrastructure.
For those that are more or less following the links the last days, you will see that I am for the moment reading a lot about BIOS rootkits and other planted rootkits on hardware. There is no way one can clean or control such hardware after you have received it. It can be everywhere and 'no where to be seen'. The cost of controls would be much more than the production cost of secured hardware.
Secure hardware is a total process from the smallest part untill the final operation and maintenance. If western IT industry wants that market it should create this market and I wouldn't be surprised if the governmental, financial (heartland incident) and highlevel knowledge competitive industries (espionage) will be all too happy to agree with that. The local employment possibilities aren't neglectable neither in these hard times.
The freemarketeers will shout in all languages that this is against competition and so on, but since when is national and economic security more important than free markets and competition ? Unless you are like the other kids in Pinocchio who are having a party but will discover that there is more to it and that nothing is as it looks....
This is a window of opportunity that you should not miss because once those smart guys (and everybody agrees that the developers and maintainers of Conflicker are smart ITprogrammers) update their client (and probably will already have figured out how to bypass the latest identification that securitytools can use) it is game over for another few weeks.
Snort, Nessus, Nmap and lots of other (also commercial) IDS and networkmonitors will incorporate this new ID.
It is also important that you filter the positive alerts, let a real person look at them and be sure that that person has the authority to bring that station down and alert a standby technical team or cleaning-securityservices installing server. Having an internal server that can install an antivirus without looking for external updates is a nice to have.
Would someone make an easy tool or something to include in proxies and firewalls ?
The first of april conflicker will be bringing down the web or will be the biggest false alert ever.
Whatever. It is a perfect excuse to test the time your security and ITpeople need to respond to a real (or played) security incident. How much time does it take to take down a pc ? How do you monitor these events and prepare for them ? Is all the information available ?