Threats of January 2013 and our recommendations on Conficker
Last month, the Win32 / Qhost Trojan was the undisputed leader. Its activity rating in Russia, compared to other threats, remains very high, 15.9%. We have already mentioned it in past monthly reports; in one of them, she also led our “top ten” threats. Win32 / Qhost does not represent a technologically complex threat, one of its main purposes is to modify the service hosts file. With the use of malicious entries added to this text file, attackers redirect the user to phishing resources. At the same time, redirection to such resources is carried out using standard OS mechanisms and with minimal participation of the user himself, who simply needs to use the browser to visit web resources.
Comments by Artem Baranov , a leading analyst at ESET.
Win32 / Qhost distribution statistics in Russia show that its peak was in December 2012; currently, its activity is decreasing.
')
Fig. 1. Statistics of the activity of the Win32 / Qhost Trojan in Russia.
We note that malicious objects that intruders insert into web pages continue to occupy the top lines of the Russian rating - these are the HTML / IFrame (4.95%) and HTML / ScrInject (3.55%) families. As a rule, the infection of the user with malware begins with these malicious objects. The attackers carry out an attack on a website and infect web pages with malicious content. The more popular this site is, the more users can become victims of cyber attacks. Despite the current negative dynamics of these threats, one can hardly expect a significant decline in HTML / IFrame and HTML / ScrInject in the future.
But the well-known banking Trojan Carberp, by contrast, has shown a steady downward trend since mid-2012 (Fig. 2), and among all the Russian threats its rating is now 1.1%. Another well-known Trojan is Win32 / Bicololo, which, like Win32 / Qhost, is focused on modifying the hosts file, significantly increased its activity in December and ended January with positive dynamics. His rating is 2.07%.
Fig. 2. Statistics of activity of a banker Trojan Carberp in Russia.
Trojan Win32 / StartPage also hit our January threat rating with a rate of 0.8%. Its main task is to change the start page of the user's browser to redirect to web pages set by the attacker. It can also track user’s search queries and open special phishing sites. Note that in our top ten were also INF / Autorun and Win32 / Conficker, which we wrote about in the annual report for 2012. In January, their rating was 1.92% and 1.18%, respectively. Russia's total share in the global malware volume was 7.81%.
Global threat statistics differ from Russian ones, although even here HTML / IFrame (3.0%) and HTML / ScrInject (2.71%) prevail. The presence of INF / Autorun (2.71%), Win32 / Conficker (2.31%), Win32 / Qhost (2.41%), and Win32 / Dorkbot (1.52%) also makes it a Russian dozen. In addition to malicious web page objects that we detect as HTML / IFrame and HTML / ScrInject, malicious Java scripts have also entered the global top ten: JS / Kryptik.ADZ (2.52%) and JS / TrojanDownloader.Iframe (1.32 %). Also in the world ranking were file infectors - Win32 / Sality (2.6%) and Win32 / Ramnit (1.4%).
Sality is worth mentioning separately. This family of file infectors has been known for a very long time - its first versions were discovered back in 2003. Since then, this malware has undergone a number of changes, and both the malicious code of the infector and the payload have evolved. In addition, Sality has got its botnet. After minor ups and downs, Win32 / Sality positions actually returned to positions a year ago. However, over the past month, it has shown a positive global dynamic.
Global threat statistics are as follows:
Threat Statistics for Russia:
We already mentioned Conficker in our annual threat ranking , it ranked fourth in prevalence.
Fig. 3. Global threat ranking, according to our 2012 report.
It is worth recalling the danger that conficker bears. Its various versions use the most diverse methods of self-propagation and copying of their bodies from an infected machine. Particularly relevant is the method of distribution through the included autorun, including for removable USB-devices. As we remember, Conficker was one of the reasons why Microsoft, starting with Windows 7, by default turned off the autorun feature from all removable media except optical (DVD and CD). In an MS technical note on changes to the startup methods in Windows 7, the Conficker worm is named as one of the reasons for making this decision.
Fig. 4. Changes in startup policy for Windows 7.
In Figure 4, we see changes in the startup policy for removable non-optical media on Windows 7+ systems (right) compared to previous OS versions (left). Red is the menu item that compromises the user when the device has a potentially harmful autorun mechanism (INF file), which fully corresponds to the behavior of Conficker. In addition, if the user ticked the item “Always do ...”, potentially dangerous objects could automatically start up again and again. As you can see, now such an item in the menu is also missing.
Below, we want to give some tips on how to avoid infection by the Conficker worm.
Update OS regularly
Conficker exploits a number of already closed vulnerabilities for its distribution:
Microsoft Security Bulletin MS08-067 - Critical Vulnerability in Server Service Could Allow Remote Code Execution
Security Bulletin MS08-068 - Important - Vulnerability in SMB Could Allow Remote Code Execution
Microsoft Security Bulletin MS09-001 - Critical - Vulnerabilities in SMB Could Allow Remote Code Execution
Appropriate updates to fix them are KB958644, KB957097, and KB958687. Of course, the rule of good tone is to regularly update the OS manually, or use the auto-update mechanism - this will help prevent various threats that exploit system vulnerabilities on your computer.
Disable autorun in Windows Vista / Windows XP
In case you are using Vista or XP, use the following instructions to disable autorun:
1. Right-click on this link and click “Save link as ...”.
2. Select the location where you want to save the file (for example, on the desktop) and click “Save”.
3. Open the place where you saved the file and double click on it to add information to the registry. Confirm the addition of information by clicking “Yes”.
Note! After you import information from a file into the system registry, any autorun.inf file will be ignored by your system. Thus, even the installation CD / DVD will no longer be able to run automatically.
If you need to clean your computer from Conficker or you suspect that you have already been infected, use the following instructions:
1. Disconnect the power cord. The worm can spread both on the Internet and on a local network.
2. If possible, use a different, non-infected computer to download patches for the above vulnerabilities.
3. Set a new, crypto-resistant password for your administrator account.
4. Use our EConfickerRemover utility to remove Conficker.
5. Download and install the latest version of ESET NOD32 product.
6. Update the anti-virus database.
To make sure that the treatment was successful, rerun the EConfickerRemover utility, and then use the scanner as part of the antivirus. We also recommend paying attention to this Microsoft article containing detailed information about Conficker.
Comments by Artem Baranov , a leading analyst at ESET.
Most likely, it is this simplicity and a wide range of phishing sites that make Win32 / Qhost so attractive for intruders. After all, using the hosts file, they can redirect the user to virtually any malicious resource virtually indistinguishable from the legal one. Thus, an unsuspecting user can easily send his confidential information to attackers. As a rule, their goal is to obtain authentication data for online banking, or personal information from social networks.
Win32 / Qhost distribution statistics in Russia show that its peak was in December 2012; currently, its activity is decreasing.
')
Fig. 1. Statistics of the activity of the Win32 / Qhost Trojan in Russia.
We note that malicious objects that intruders insert into web pages continue to occupy the top lines of the Russian rating - these are the HTML / IFrame (4.95%) and HTML / ScrInject (3.55%) families. As a rule, the infection of the user with malware begins with these malicious objects. The attackers carry out an attack on a website and infect web pages with malicious content. The more popular this site is, the more users can become victims of cyber attacks. Despite the current negative dynamics of these threats, one can hardly expect a significant decline in HTML / IFrame and HTML / ScrInject in the future.
But the well-known banking Trojan Carberp, by contrast, has shown a steady downward trend since mid-2012 (Fig. 2), and among all the Russian threats its rating is now 1.1%. Another well-known Trojan is Win32 / Bicololo, which, like Win32 / Qhost, is focused on modifying the hosts file, significantly increased its activity in December and ended January with positive dynamics. His rating is 2.07%.
Fig. 2. Statistics of activity of a banker Trojan Carberp in Russia.
Trojan Win32 / StartPage also hit our January threat rating with a rate of 0.8%. Its main task is to change the start page of the user's browser to redirect to web pages set by the attacker. It can also track user’s search queries and open special phishing sites. Note that in our top ten were also INF / Autorun and Win32 / Conficker, which we wrote about in the annual report for 2012. In January, their rating was 1.92% and 1.18%, respectively. Russia's total share in the global malware volume was 7.81%.
Global threat statistics differ from Russian ones, although even here HTML / IFrame (3.0%) and HTML / ScrInject (2.71%) prevail. The presence of INF / Autorun (2.71%), Win32 / Conficker (2.31%), Win32 / Qhost (2.41%), and Win32 / Dorkbot (1.52%) also makes it a Russian dozen. In addition to malicious web page objects that we detect as HTML / IFrame and HTML / ScrInject, malicious Java scripts have also entered the global top ten: JS / Kryptik.ADZ (2.52%) and JS / TrojanDownloader.Iframe (1.32 %). Also in the world ranking were file infectors - Win32 / Sality (2.6%) and Win32 / Ramnit (1.4%).
Sality is worth mentioning separately. This family of file infectors has been known for a very long time - its first versions were discovered back in 2003. Since then, this malware has undergone a number of changes, and both the malicious code of the infector and the payload have evolved. In addition, Sality has got its botnet. After minor ups and downs, Win32 / Sality positions actually returned to positions a year ago. However, over the past month, it has shown a positive global dynamic.
Global threat statistics are as follows:
Threat Statistics for Russia:
We already mentioned Conficker in our annual threat ranking , it ranked fourth in prevalence.
Fig. 3. Global threat ranking, according to our 2012 report.
It is worth recalling the danger that conficker bears. Its various versions use the most diverse methods of self-propagation and copying of their bodies from an infected machine. Particularly relevant is the method of distribution through the included autorun, including for removable USB-devices. As we remember, Conficker was one of the reasons why Microsoft, starting with Windows 7, by default turned off the autorun feature from all removable media except optical (DVD and CD). In an MS technical note on changes to the startup methods in Windows 7, the Conficker worm is named as one of the reasons for making this decision.
Fig. 4. Changes in startup policy for Windows 7.
In Figure 4, we see changes in the startup policy for removable non-optical media on Windows 7+ systems (right) compared to previous OS versions (left). Red is the menu item that compromises the user when the device has a potentially harmful autorun mechanism (INF file), which fully corresponds to the behavior of Conficker. In addition, if the user ticked the item “Always do ...”, potentially dangerous objects could automatically start up again and again. As you can see, now such an item in the menu is also missing.
Below, we want to give some tips on how to avoid infection by the Conficker worm.
Update OS regularly
Conficker exploits a number of already closed vulnerabilities for its distribution:
Microsoft Security Bulletin MS08-067 - Critical Vulnerability in Server Service Could Allow Remote Code Execution
Security Bulletin MS08-068 - Important - Vulnerability in SMB Could Allow Remote Code Execution
Microsoft Security Bulletin MS09-001 - Critical - Vulnerabilities in SMB Could Allow Remote Code Execution
Appropriate updates to fix them are KB958644, KB957097, and KB958687. Of course, the rule of good tone is to regularly update the OS manually, or use the auto-update mechanism - this will help prevent various threats that exploit system vulnerabilities on your computer.
Disable autorun in Windows Vista / Windows XP
In case you are using Vista or XP, use the following instructions to disable autorun:
1. Right-click on this link and click “Save link as ...”.
2. Select the location where you want to save the file (for example, on the desktop) and click “Save”.
3. Open the place where you saved the file and double click on it to add information to the registry. Confirm the addition of information by clicking “Yes”.
Note! After you import information from a file into the system registry, any autorun.inf file will be ignored by your system. Thus, even the installation CD / DVD will no longer be able to run automatically.
If you need to clean your computer from Conficker or you suspect that you have already been infected, use the following instructions:
1. Disconnect the power cord. The worm can spread both on the Internet and on a local network.
2. If possible, use a different, non-infected computer to download patches for the above vulnerabilities.
3. Set a new, crypto-resistant password for your administrator account.
4. Use our EConfickerRemover utility to remove Conficker.
5. Download and install the latest version of ESET NOD32 product.
6. Update the anti-virus database.
To make sure that the treatment was successful, rerun the EConfickerRemover utility, and then use the scanner as part of the antivirus. We also recommend paying attention to this Microsoft article containing detailed information about Conficker.
Source: https://habr.com/ru/post/169237/
All Articles