February 13, 2013 at 11:56Threats of January 2013 and our recommendations for Conficker
Last month, the Win32 / Qhost Trojan was the undisputed leader. Its rating of activity in Russia, compared to other threats, remains very high, 15.9%. We already mentioned her in past monthly reports, in one of them she also led our “top ten” threats. Win32 / Qhost is not a technologically complex threat; one of its main purposes is to modify the service hosts file. Using malicious entries added to this text file, cybercriminals redirect the user to phishing resources. At the same time, redirection to such resources is carried out due to standard OS mechanisms and with the minimal participation of the user himself, who just need to use a browser to visit web resources.
Comments by Artem Baranov, leading analyst at ESET.
Win32 / Qhost distribution statistics across Russia show that its peak was in December 2012; its activity is currently declining.
Fig. 1. Activity statistics of the Win32 / Qhost Trojan in Russia.
We note that malicious objects that are embedded by cybercriminals in web pages still occupy the top lines of the Russian rating - we are talking about the HTML / IFrame (4.95%) and HTML / ScrInject (3.55%) families. As a rule, malware infection begins with these malicious objects. Attackers carry out an attack on a website and infect web pages with malicious content. The more popular this site will be, the more users can become a victim of a cyber attack. Despite the current negative dynamics on these threats, we can hardly expect a significant decline in HTML / IFrame and HTML / ScrInject in the future.
But the well-known banking Trojan Carberp, on the contrary, has shown a steady downward trend since mid-2012 (Fig. 2), and among all Russian threats, it now has a rating of 1.1%. Another well-known trojan is Win32 / Bicololo, which, like Win32 / Qhost, is aimed at modifying the hosts file, significantly increased its activity in December and ended January with positive dynamics. Its rating is 2.07%.
Fig. 2. Statistics of the activity of the banking Trojan Carberp in Russia.
The Win32 / StartPage Trojan also fell into our January threat rating with an indicator of 0.8%. Its main task is to replace the start page of the user's browser to redirect to the web pages specified by the attacker. It can also track user searches and open special phishing sites. Note that in our top ten were also INF / Autorun and Win32 / Conficker, which we wrote about in the annual report for 2012. In January, their rating was 1.92% and 1.18%, respectively. The total share of Russia in the global volume of malware amounted to 7.81%.
Global threat statistics are different from the Russian, although here HTML / IFrame (3.0%) and HTML / ScrInject (2.71%) predominate. The presence of INF / Autorun (2.71%), Win32 / Conficker (2.31%), Win32 / Qhost (2.41%), as well as Win32 / Dorkbot (1.52%) are also related to the Russian top ten. In addition to the malicious objects of web pages that we detect as HTML / IFrame and HTML / ScrInject, the top ten also included malicious Java scripts: JS / Kryptik.ADZ (2.52%) and JS / TrojanDownloader.Iframe (1.32 %). Also in the world ranking were file infectors - Win32 / Sality (2.6%) and Win32 / Ramnit (1.4%).
Sality is worth mentioning separately. This family of file infectors has been known for a very long time - its first versions were discovered back in 2003. Since then, this malware has undergone a number of changes, and both the malicious code of the infection and the payload have evolved. In addition, Sality has acquired its botnet. After slight downturns and ups, Win32 / Sality positions have actually returned to positions a year ago. However, over the past month it has been demonstrating positive global momentum.
Global threat statistics are as follows:
Threat statistics for Russia:
In our annual threat rating, we already mentioned Conficker, in terms of prevalence it took fourth place.
Fig. 3. The global threat rating, according to our 2012 report.
It is worth recalling the danger that Conficker poses. Its various versions use the most diverse methods of self-distribution and copying their body from an infected machine. Particularly relevant is the method of distribution through the included autorun, including for removable USB-devices. As we recall, Conficker was one of the reasons why Microsoft, starting with Windows 7, turned off the autostart function from all removable media except optical (DVD and CD) by default. In a technical note from MS about changes to startup methods in Windows 7, the Conficker worm was named one of the reasons for this decision.
Fig. 4. Changes in the startup policy for Windows 7.
In Figure 4, we see changes in the autorun policy for removable non-optical media in Windows 7+ systems (right) compared to previous versions of the OS (left). The menu item that compromises the user in case the device has a potentially malicious autorun mechanism (INF file) is highlighted in red, which is fully consistent with Conficker behavior. In addition, if the user checked “Always do ...”, potentially dangerous objects could automatically start again and again. As you can see, now such an item in the menu is also missing.
Below we want to give some tips on how to avoid getting infected with the Conficker worm.
Update regularly
Conficker exploits a number of already closed vulnerabilities for its distribution:
Microsoft Security Bulletin MS08-067 - Critical - Vulnerability in Server Service Could Allow Remote Code Execution
Microsoft Security Bulletin MS08-067 - Critical - Vulnerability in SMB Could Allow Remote Code Execution
Microsoft Security Bulletin MS09-001 - Critical - Vulnerabilities in SMB Could Allow Remote Code Execution
Corresponding updates to resolve them are KB958644, KB957097, and KB958687. Of course, the rule of good taste is to regularly update the OS manually, or use the auto-update mechanism - this will help prevent various threats that exploit system vulnerabilities from getting onto your computer.
Disable autorun in Windows Vista / Windows XP
If you are using Vista or XP, use the following instructions to disable autorun:
1. Right-click on this link and click “Save Link As ...”.
2. Select the place where you want to save the file (for example, to the desktop) and click “Save”.
3. Open the place where you saved the file and double-click on it to add information to the registry. Confirm the addition of information by clicking “Yes”.
Note! After you import information from a file into the system registry, any file autorun.inf will be ignored by your system. Thus, even installation CD / DVDs will no longer be able to start automatically.
If you need to clean your computer from Conficker or if you suspect that you have already been infected, use the following instructions:
1. Unplug the power cord. The worm can spread both on the Internet and on a local network.
2. If possible, use another, non-infected computer to download patches for the above vulnerabilities.
3. Set a new, cryptographic password for your administrator account.
4. Use our EConfickerRemover utility to remove Conficker.
5. Download and install the latest ESET NOD32 product.
6. Update anti-virus databases.
To verify that the treatment was successful, re-run the EConfickerRemover utility, and then use the scanner as part of the antivirus. We also recommend that you pay attention to this Microsoft article containing detailed information about Conficker.
Comments by Artem Baranov, leading analyst at ESET.
Most likely, it is this simplicity and an extensive range of phishing sites that make Win32 / Qhost so attractive to attackers. After all, using the hosts file, they can redirect the user to virtually any malicious resource that is practically indistinguishable from a legal one. Thus, an unsuspecting user can easily send intruders their confidential information. As a rule, their goal is to obtain authentication data for online banking, or personal information from social networks.
Win32 / Qhost distribution statistics across Russia show that its peak was in December 2012; its activity is currently declining.
Fig. 1. Activity statistics of the Win32 / Qhost Trojan in Russia.
We note that malicious objects that are embedded by cybercriminals in web pages still occupy the top lines of the Russian rating - we are talking about the HTML / IFrame (4.95%) and HTML / ScrInject (3.55%) families. As a rule, malware infection begins with these malicious objects. Attackers carry out an attack on a website and infect web pages with malicious content. The more popular this site will be, the more users can become a victim of a cyber attack. Despite the current negative dynamics on these threats, we can hardly expect a significant decline in HTML / IFrame and HTML / ScrInject in the future.
But the well-known banking Trojan Carberp, on the contrary, has shown a steady downward trend since mid-2012 (Fig. 2), and among all Russian threats, it now has a rating of 1.1%. Another well-known trojan is Win32 / Bicololo, which, like Win32 / Qhost, is aimed at modifying the hosts file, significantly increased its activity in December and ended January with positive dynamics. Its rating is 2.07%.
Fig. 2. Statistics of the activity of the banking Trojan Carberp in Russia.
The Win32 / StartPage Trojan also fell into our January threat rating with an indicator of 0.8%. Its main task is to replace the start page of the user's browser to redirect to the web pages specified by the attacker. It can also track user searches and open special phishing sites. Note that in our top ten were also INF / Autorun and Win32 / Conficker, which we wrote about in the annual report for 2012. In January, their rating was 1.92% and 1.18%, respectively. The total share of Russia in the global volume of malware amounted to 7.81%.
Global threat statistics are different from the Russian, although here HTML / IFrame (3.0%) and HTML / ScrInject (2.71%) predominate. The presence of INF / Autorun (2.71%), Win32 / Conficker (2.31%), Win32 / Qhost (2.41%), as well as Win32 / Dorkbot (1.52%) are also related to the Russian top ten. In addition to the malicious objects of web pages that we detect as HTML / IFrame and HTML / ScrInject, the top ten also included malicious Java scripts: JS / Kryptik.ADZ (2.52%) and JS / TrojanDownloader.Iframe (1.32 %). Also in the world ranking were file infectors - Win32 / Sality (2.6%) and Win32 / Ramnit (1.4%).
Sality is worth mentioning separately. This family of file infectors has been known for a very long time - its first versions were discovered back in 2003. Since then, this malware has undergone a number of changes, and both the malicious code of the infection and the payload have evolved. In addition, Sality has acquired its botnet. After slight downturns and ups, Win32 / Sality positions have actually returned to positions a year ago. However, over the past month it has been demonstrating positive global momentum.
Global threat statistics are as follows:
Threat statistics for Russia:
In our annual threat rating, we already mentioned Conficker, in terms of prevalence it took fourth place.
Fig. 3. The global threat rating, according to our 2012 report.
It is worth recalling the danger that Conficker poses. Its various versions use the most diverse methods of self-distribution and copying their body from an infected machine. Particularly relevant is the method of distribution through the included autorun, including for removable USB-devices. As we recall, Conficker was one of the reasons why Microsoft, starting with Windows 7, turned off the autostart function from all removable media except optical (DVD and CD) by default. In a technical note from MS about changes to startup methods in Windows 7, the Conficker worm was named one of the reasons for this decision.
Fig. 4. Changes in the startup policy for Windows 7.
In Figure 4, we see changes in the autorun policy for removable non-optical media in Windows 7+ systems (right) compared to previous versions of the OS (left). The menu item that compromises the user in case the device has a potentially malicious autorun mechanism (INF file) is highlighted in red, which is fully consistent with Conficker behavior. In addition, if the user checked “Always do ...”, potentially dangerous objects could automatically start again and again. As you can see, now such an item in the menu is also missing.
Below we want to give some tips on how to avoid getting infected with the Conficker worm.
Update regularly
Conficker exploits a number of already closed vulnerabilities for its distribution:
Microsoft Security Bulletin MS08-067 - Critical - Vulnerability in Server Service Could Allow Remote Code Execution
Microsoft Security Bulletin MS08-067 - Critical - Vulnerability in SMB Could Allow Remote Code Execution
Microsoft Security Bulletin MS09-001 - Critical - Vulnerabilities in SMB Could Allow Remote Code Execution
Corresponding updates to resolve them are KB958644, KB957097, and KB958687. Of course, the rule of good taste is to regularly update the OS manually, or use the auto-update mechanism - this will help prevent various threats that exploit system vulnerabilities from getting onto your computer.
Disable autorun in Windows Vista / Windows XP
If you are using Vista or XP, use the following instructions to disable autorun:
1. Right-click on this link and click “Save Link As ...”.
2. Select the place where you want to save the file (for example, to the desktop) and click “Save”.
3. Open the place where you saved the file and double-click on it to add information to the registry. Confirm the addition of information by clicking “Yes”.
Note! After you import information from a file into the system registry, any file autorun.inf will be ignored by your system. Thus, even installation CD / DVDs will no longer be able to start automatically.
If you need to clean your computer from Conficker or if you suspect that you have already been infected, use the following instructions:
1. Unplug the power cord. The worm can spread both on the Internet and on a local network.
2. If possible, use another, non-infected computer to download patches for the above vulnerabilities.
3. Set a new, cryptographic password for your administrator account.
4. Use our EConfickerRemover utility to remove Conficker.
5. Download and install the latest ESET NOD32 product.
6. Update anti-virus databases.
To verify that the treatment was successful, re-run the EConfickerRemover utility, and then use the scanner as part of the antivirus. We also recommend that you pay attention to this Microsoft article containing detailed information about Conficker.