Shaun Stanislaus’s Tech blog

Just another WordPress.com weblog

Conficker’s autorun and social engineering guide

We wrote several diaries about Conficker (or Downadup, depending on the AV tool you are using). F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything).

One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:

  1. It exploits the MS08-067 vulnerability,
  2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
  3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn’t scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).

After removing garbage, one can see a nice autorun.inf file containing all important keywords. This grabbed my attention:

[Autorun]

Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
Shellexecute=.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

So, as you can see, the first part, “Install or run program” is there because Vista detected an autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) – and it’s the standard folder icon! This can easily fool a user in clicking this one and thinking it will open the USB stick in Windows Explorer instead of the second (the real one). The first option will run Conficker, of course. Very smart. For administrators among you, I would suggest that you disable AutoPlay in your environments, unless it’s really necessary. Depending on the environment you might even completely disable USB, if you don’t need it. The following article explain nicely how the AutoPlay feature works and how to disable it (http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx). Or check this article on the Autorun registry key (http://support.microsoft.com/kb/953252). UPDATE – fixed a typo in the vulnerability, it is MS08-067 (not MS08-068) – Nick Brown sent a URL to his blog where he described another method for disabling Autorun by modifying the IniFileMapping registry key, see more at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

Advertisements

April 2, 2009 Posted by | social engineering | , , , , , , , , , , , | 1 Comment

When to upgrade to Windows 7?

IT shops continue to hold off on Vista upgrades in favor of waiting for Windows 7, but individual corporate circumstances may require some action sooner rather than later.

Gartner Inc., the Stamford, Conn.-based consulting firm recently polled 166 of its US-based clients representing three million PCs, and just under 100 of its European-based clients representing just under one million PCs. Vista adoption continues its slow pace, with roughly half of respondents saying they will not upgrade or are making no plans either way.

In fact, by the end of 2008 only 6% of the organizations had started installing Vista. That’s about half of the number of organizations that had installed Windows 2000 by the same time in its evolution, said Michael Silver, a Gartner analyst and one of the report’s authors.

Only one-third of respondents said they would roll out Vista in 2009 in both North America and Europe.

Get thee off of XP

Skipping Vista does have its consequences. It means that IT shops with four or five-year hardware refresh cycles will have a truncated OS upgrade cycle as they move to Windows 7, Silver said.

Silver advises IT shops to at least move some end users off of XP. “We have a lot of clients that skip an OS and they call us up late in their OSes life,” he said. “They say, we can’t get off of Windows 2000 fast enough. We don’t have the budget and our applications don’t support it anymore.”

XP will only be supported with security fixes until April 2014 and it’s unlikely that most Windows 7 deployments will begin until 2011. A release candidate of Windows 7 is widely expected in September 2009, but it will take a while for third-party applications to support a new release, as is typical.

If IT shops start a Windows 7 deployment in early 2011 it means that, through regular attrition, it will be hard for them to get off XP before Microsoft ends support and the third-party vendors pulling back on their own XP support. Support for XP by third parties is expected to become a problem by 2012, Silver said.

Add Windows 7 to your budget on new and existing PCs for 2011 and 2012.

For IT shops interested in running hosted virtual desktops,  it’s better to run Windows XP on the same hardware than running Windows Vista because XP is less resource intensive and requires less disk space. The tools to manage hosted virtual machines are still in their infancy.

By the time Windows 7 becomes mainstream, virtual desktop infrastructure (VDI) and the management technology that supports VDI should be mature.

March 28, 2009 Posted by | Industry Best Practice, IT News, Technology | , , , , , | Leave a comment