20101018 資安新聞簡報報告者：曾家雄、劉旭哲、莊承恩

NEW MALWARE MUROFET FOLLOWING CONFICKER'S LEADOctober 15, 2010

Dennis Fisher

Conficker• A computer worm targeting the Microsoft Windows

operating system • Be detected in November 2008• Co-opt machines and link them into a virtual computer

that can be commanded remotely

Conficker Variant• Five variants of the Conficker worm are known and have

been dubbed Conficker A, B, C, D and E

Conficker Variant

Conficker Variant

Payload Propagation• Variant A

• Generates a list of 250 domain names every day across five TLDs• The domain names are generated from a pseudo-random number

generator seeded with the current date

Payload Propagation• Variant B increases the number of TLDs to eight, and

produce domain names disjoint from those of the variant A• Variant D generates daily a pool of 50000 domains across

110 TLDs, from which it randomly chooses 500 to attempt for that day

• The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics

Murofet• The main similarity between Conficker and Murofet is that

both pieces of malware use a pre-determined algorithm to generate seemingly random domain

• It generates pseudo-random domain names based on the year, month, day, and minute of execution

• Upon executing, Murofet starts a thread that attempts to download malware updates

Pseudo-Random Domain Algorithm• It generates two DWORD values

• The first is composed of the month, day, and low byte of the year of the date of execution, plus 0x30 (48)

• The second DWORD value is based on the minute of execution, multiplied by 0x11 (17)

Pseudo-Random Domain Algorithm

Pseudo-Random Domain Algorithm

Day Month Year

+ 0x30

First Dword

Minute

* 0x11

Second Dword

First Dword Second Dword

64 bits => 共 16個 nibles

Reference• http://community.websense.com/blogs/securitylabs/archiv

e/2010/10/14/murofet-domain-generation-ala-conficker.aspx

• http://threatpost.com/en_us/blogs/new-malware-murofet-following-confickers-lead-101510

• http://www.symantec.com/connect/blogs/w32downadupc-pseudo-random-domain-name-generation

MICROSOFT WANTS TO CORDON OFF BOTNET-INFECTED COMPUTERS報告者：劉旭哲

• Botnets = Zombie Network• DDoS• Spread spam

• "collective action" to combat cyberthreats -- particularly botnets.

1. individual defense• firewalls, antivirus, and automatic updates

2. collective defense• Computer Emergency Response Teams (CERTs)

3. active defense

4. Offense

• new users, devices, and application.

• Zeus botnet that captured users' banking sign-on information.

• New thinking and expanded approaches need to be applied to combat cyber threats

• " If you were the person whose computer was infected, wouldn't you want to know? “

• Public Health Model• Computer = Human

Public Health Model• Two complementary approaches：

① bolstering efforts to identify infected devices

② promoting efforts to better demonstrate device health

• Identify infected devices• Restrict infected devices• at least one access provider is now attempting this approach:

Comcast

Comcast• Constant Guard• Damballa, a botnet research firm• Use toolbar• The first ISP to provide this type of in-browser notification

• Demonstrate device health：① a mechanism to produce a health certificate

② trust

③ access providers request health certificates and take appropriate action

④ create supporting policies and rules

Defect• If there are some emergency services, infected computers

may still be permitted

• For example, cell phone.

• At least two advantages：① Before online banking activities

② More effective remediation• ISP could know specific device

Conclusion• Not perfect• Balance security and privacy• Building a socially acceptable and financially sustainable

model• Collective action

Reference• http://www.technewsworld.com/story/70998.html• http://go.microsoft.com/?linkid=9746317• http://www.comcast.com/default.cspx• http://www.damballa.com/• http://

news.cnet.com/8301-27080_3-20018168-245.html#ixzz1133KPVK8

WEBGOAT莊承恩