Forgot your password?
typodupeerror
Security

Taming Conficker, the Easy Way 288

Posted by kdawson
from the scanner-lightly dept.
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
This discussion has been archived. No new comments can be posted.

Taming Conficker, the Easy Way

Comments Filter:
  • Wow! (Score:5, Insightful)

    by MrNaz (730548) * on Monday March 30, 2009 @08:09AM (#27386505) Homepage

    Wow. So this:

    IT tech: Do you know if your workstation has a virus?
    User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]

    Which would happen once for every node on the network, would become this:

    root@admin:~$ nmap 192.168.0.* -confickercheck

    Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.

    • Re:Wow! (Score:4, Insightful)

      by lga (172042) on Monday March 30, 2009 @08:31AM (#27386691) Homepage Journal

      I don't know about you, but on my network I run a centrally administered virus scanner. It seems quite a bit easier than asking every user!

    • Re:Wow! (Score:4, Insightful)

      by morgan_greywolf (835522) on Monday March 30, 2009 @08:33AM (#27386703) Homepage Journal

      If only all malware was this easy to detect. Unfortunately, despite the proliferation of automatic virus scanners, "firewalls," and various other techniques, infections still occur.

      The main problem is the current monoculture in desktop operating systems. No matter what you think of Microsoft, no matter what you think of Windows, you have to admit that having 90% marketshare of a single OS on desktop operating systems is the biggest part of the problem. The second biggest part of the problem was not designing network security into the OS from day one, but instead attempting to bolt it on on an OS that has always been designed to be a highly integrated one-size-fits-all solution.

      • Re: (Score:2, Interesting)

        by drsmithy (35869)

        The second biggest part of the problem was not designing network security into the OS from day one, but instead attempting to bolt it on on an OS that has always been designed to be a highly integrated one-size-fits-all solution.

        How is "network security" any more (or less) "bolted on" in Windows NT vs UNIX (or Linux) ?

        What exactly do you mean by "network security" ?

        • Re:Wow! (Score:4, Interesting)

          by Anonymous Coward on Monday March 30, 2009 @09:51AM (#27387505)

          Noone said that network security isn't "bolted on" in UNIX.

          But there are other machines which are definately invulnerable to the attack methods used by worms like conficker (typically modifying program flow by injecting executable code and altering address pointers, so the injected code will be executed).

          For example, IBM's AS/400 / iSeries 400 / eServer i5 (/ or whatever the name is today) has built-in (hardware-supported) pointer protection and separate address-stack and data-stack.
          Actually, that is the reason why the CPUs are sometimes called "65-bit CPUs" instead of "64-bit CPUs" - the 65th bit is a tag flag (in memory, it's stored in the ECC area).

          The details can be read in the book "The Inside Story of the IBM iSeries" by Frank G. Soltis.

          What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.

          • What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.

            As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)

      • Re: (Score:3, Insightful)

        by BenoitRen (998927)

        Actually, most infections today occur thanks to social engineering. The biggest liability is still what's between the keyboard and the chair.

    • by AliasMarlowe (1042386) on Monday March 30, 2009 @08:57AM (#27386899) Journal

      Which would happen once for every node on the network, would become this:
      root@admin:~$ nmap 192.168.0.* -confickercheck

      But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
      http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172 [slashdot.org]
      http://yro.slashdot.org/article.pl?sid=08/01/03/2056223 [slashdot.org]
      So if you use nmap to clean your network, you may be open to criminal charges.

      • Other "hacker tools":
        • ping
        • tracert
        • net
        • netstat

        Forget nmap; Windows is just one big hacker suite.

      • by smallfries (601545) on Monday March 30, 2009 @09:23AM (#27387195) Homepage

        Not in the UK, according to the articles that you linked to. The prosecution have to show that you intended to use the tool to commit a crime - possession is not enough. Did you actually read the links that you posted?

        • by AliasMarlowe (1042386) on Monday March 30, 2009 @09:54AM (#27387539) Journal

          Not in the UK, according to the articles that you linked to. The prosecution have to show that you intended to use the tool to commit a crime - possession is not enough. Did you actually read the links that you posted?

          Yes, I did. According to the linked article, if you distribute a "hacker tool" that somebody else then uses for an illegal purpose, you're on the hook under UK law. Even if you commit no crime with it.

          • by blueg3 (192743)

            So, did you then confuse possession and distribution? I still don't see how possession of nmap, neither committing a crime nor intending to, is illegal under that reading.

          • Re: (Score:3, Funny)

            by smallfries (601545)

            Ok so you did read it. And I'll assume that you are aware of what you wrote the first time. And I'll assume that you read my response. The only possible logical conclusions are either a) you don't know the different between possession and distribution (thanks blueg3), or b) you are an idiot. I'm not as generous as blueg3, I think you lack the intellectual faculties to post on slashdot. It's a low bar, but by god you've hit it.

            I'm going to try though, and see if you could understand with a little coaching, a

        • by Builder (103701) on Monday March 30, 2009 @10:08AM (#27387707)

          IIRC the actual standard has been reduced to 'could be useful to commit a crime'.

          Several people in this country currently have criminal convictions for possessing certain books because they 'may be useful to someone planning a terrorist attack'

          Not WERE planning attack. Not were part of a group of known terrorists with known events behind them. Just 'may be useful to someone planning a terrorist attack'.

          Trust the law in this country? Hell no!

          • Re: (Score:3, Interesting)

            by drinkypoo (153816)

            Someone I know was personally investigated by the local police as possible dope growers (some years ago, when it was still entirely illegal in the state of California, where all this transpired) because they were known to possess shovels. Not a joke. The police came and inspected the bamboo grove that apparently triggered the inspection... This is not a third-hand story, either. Or even second-hand, to me :)

    • Re:Wow! (Score:5, Funny)

      by cbiltcliffe (186293) on Monday March 30, 2009 @09:21AM (#27387163) Homepage Journal

      If you have even half-assed antivirus in a corporate environment, you'll be able to log into the admin console, and see what machines are infected.
      You can also see when a machine was last in contact with the controller, so if a virus kills the A/V on a machine, it will stop contacting. Anything that's been over a week since contact automatically should be physically investigated.

      Of course, you could be using Norton Internet Security 2009 on your corporate machines, which doesn't have this capability. But if you are, you're an incompetent moron, and shouldn't be trusted with a Gameboy, forget a multi-computer corporate network.

    • by fv (95460) * <fyodor@insecure.org> on Monday March 30, 2009 @06:12PM (#27394543) Homepage
      I'm happy to report that we've just released Nmap 4.85BETA5 with Conficker detection so you can do that scan! The actual recommended command is:

      nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

      For more details, see the announcement at http://insecure.org [insecure.org].
      -Fyodor

  • by arndawg (1468629) on Monday March 30, 2009 @08:28AM (#27386661)
    "You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.
  • by Shrike82 (1471633) on Monday March 30, 2009 @08:39AM (#27386761)

    We figured this out on Friday, and got code put together for Monday.

    And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.

  • So... (Score:5, Insightful)

    by ericrost (1049312) on Monday March 30, 2009 @08:41AM (#27386771) Homepage Journal

    So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....

    Very crappy post, editors!

    • Re:So... (Score:5, Insightful)

      by Zocalo (252965) on Monday March 30, 2009 @08:48AM (#27386827) Homepage
      From Dan Kaminsky's site [doxpara.com], immediately under the bit that looks like the Slashot story funnily enough, so I'm guessing it got dropped to save space on the Slashdot front page:

      The technical details are not complicated -- Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version -- but I'll let Tillmann and Felix describe this in full in their "Know Your Enemy" paper, due out any day now with all sorts of interesting observations about this annoying piece of code. (We didn't think it made sense to hold up the scanner while finishing up a few final edits on the paper.)

  • I don't get it ... (Score:2, Interesting)

    by Slayer (6656)

    The most common infection vector is because people run executables from untrusted sources. And now Tillmann and Felix expect us to download a scanner and run it on our systems ?

    Next time someone recommends GTA for driving schools ....

  • by jquest (530244) * on Monday March 30, 2009 @09:06AM (#27386991)
    McAfee Stinger for Conficker located at: http://vil.nai.com/vil/averttools.aspx [nai.com]
  • or other way.. (Score:5, Interesting)

    by orange47 (1519059) on Monday March 30, 2009 @09:07AM (#27387001)
    you could tell all people to try and open this web page: http://www.clamav.net/ [clamav.net] or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention [sri.com] ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.
  • Window HOWTO (Score:5, Informative)

    by Dynamoo (527749) on Monday March 30, 2009 @09:15AM (#27387085) Homepage
    1. Download and install Python 2.6.1: http://www.python.org/ftp/python/2.6.1/python-2.6.1.msi [python.org]
    2. Download Impacket from http://oss.coresecurity.com/repo/Impacket-stable.zip [coresecurity.com] (or maybe http://pypi.zestsoftware.nl/impacket/ [zestsoftware.nl] or some other mirror)
    3. Download the scanner from http://iv.cs.uni-bonn.de/uploads/media/scs.zip [uni-bonn.de]
    4. Unpack Impacket into a folder, then install Impacket from a command line with c:\python26\python setup.py install
    5. Run the scanner with the command c:\python26\python scs.py [start_ip] [end_ip]

    (Hat tip to an AC comment at El Reg [theregister.co.uk]). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot [atomicsoft...utions.com] works well and is easier to install.

    • I have no mod points, but the links in the actual story have zero information on actually running a scan. I'm scanning my office network right now solely because of this comment.

  • Why isn't this the standard method for /all/ virus scanning? Remote scans are the only method which has ever seemed sane to me.. why would you run software to detect if the software you're running has been compromised? That's why I don't run virus scanners: it's pointless.

    Give me a program that I can run on a "known good" system (for example, a system which boots off write-once media) and which monitors the local network for suspicious activity. I'll run that one.

    • Re: (Score:3, Informative)

      by smallfries (601545)

      Because most viruses do not change the network behaviour of a host. Because most viruses are not visible from outside a host. Because this is a very rare case of a worm that actually changes the fingerprint of a host.

  • by British (51765) <british1500@gmail.com> on Monday March 30, 2009 @09:48AM (#27387459) Homepage Journal

    I thought it was funny, one of the newscasters on 60 minutes said she just got "owned". It's funny since this is the same show Andy "I'm out of touch with reality" Rooney is on.

  • by girlintraining (1395911) on Monday March 30, 2009 @10:26AM (#27387937)

    It's quite elementary, really: Windows Update sucks. Okay, that probably needs an explanation.

    Would you rather:
    a) Run Windows Update so Microsoft has backdoor access to update/patch/install software at random, as well as auditing your system for "compliance" and sending you a legal nastygram if you are caught running a "pirate" copy of Windows? Note: The detection algorithm for "Windows Genuine Authentication" has passed numerous false negatives and disabled people's computers before who purchased legitimate copies, -or-
    b) Not update, download a software firewall, run a bunch of anti-malware scanners, and use Firefox, -or-
    c) Do nothing, because "there's nothing important on my computer anyway."

    Microsoft went through a lot of effort to make sure there were tons of unpatched systems out there when they started throwing up "windows genuine" everywhere, and having the average user jump through so many hoops. Then there's the two hour process of installing Service Pack 3. Who wants to waste two hours on a ginormous OS update when they can play WoW some more? And god help you if one of a thousand failure conditions crops up and it dies, telling you to reinstall the entire OS. The average Windows users is caught between knowing their systems are vulnerable and playing a rat race that requires knowledge and process they don't understand to keep their systems secure.

    Big surprise when they choose the devil they know.

  • by Matt Perry (793115) <perry.matt54@[ ]oo.com ['yah' in gap]> on Monday March 30, 2009 @12:15PM (#27389625)

    "Thanks Dan! We'll be sure to patch this problem in the next Conficker update."

Murphy's Law, that brash proletarian restatement of Godel's Theorem. -- Thomas Pynchon, "Gravity's Rainbow"

Working...