Taming Conficker, the Easy Way

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Re:Wow!

[fuzzyfuzzyfungus]

If only the users who leave their printers unplugged habitually used linux...

To be fair, you can do something similar in Windows; but it sure isn't the soul of wit [msdn.com].

Re:It just amazes me

[Computershack]

I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.

You mean like patching the flaw MONTHS before Conficker was released?

What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...

Oh wait...

Re:Wow!

[Binestar]

You'll want to exclude at least /dev and /proc from that command if you want it to complete. I actually just prefer dd for ease of destruction.

Re:i find it so hard

[Ralish]

In fact, having double checked my information, the security patch that fixes the vulnerability that Conficker exploits was released prior to the creation and subsequent distribution of Conficker.

So, every single computer out there with a Conficker infection due to the exploit infection route could have been secured if patched. I would bet that would make for a gigantic reduction in the size of the Conficker botnet.

McAfee Stinger for Conficker

[jquest]

McAfee Stinger for Conficker located at: http://vil.nai.com/vil/averttools.aspx [nai.com]

Window HOWTO

[Dynamoo]

1. Download and install Python 2.6.1: http://www.python.org/ftp/python/2.6.1/python-2.6.1.msi [python.org]
2. Download Impacket from http://oss.coresecurity.com/repo/Impacket-stable.zip [coresecurity.com] (or maybe http://pypi.zestsoftware.nl/impacket/ [zestsoftware.nl] or some other mirror)
3. Download the scanner from http://iv.cs.uni-bonn.de/uploads/media/scs.zip [uni-bonn.de]
4. Unpack Impacket into a folder, then install Impacket from a command line with c:\python26\python setup.py install
5. Run the scanner with the command c:\python26\python scs.py [start_ip] [end_ip]

(Hat tip to an AC comment at El Reg [theregister.co.uk]). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot [atomicsoft...utions.com] works well and is easier to install.

Re:i find it so hard

[Tony Hoyle]

There is no 'grand activation date'. April 1st *or later* when it updates itself.. it's more likely to upgrade to conficker D than do anything else.

It's just not in the authors interest to do any damage - whilst people don't know they are infected they can participate in the botnet. If the virus makes itself obvious then all that potential revenue is destroyed.

The f-secure blog puts it best: http://www.f-secure.com/weblog/archives/00001636.html [f-secure.com]

Re:i find it so hard

[mrsurb]

Pirated versions of Windows end up with automatic updating turned off as a way of getting around Microsoft's Genuine Advantage validation tests.

Re:why isn't this the standard method for all scan

[smallfries]

Because most viruses do not change the network behaviour of a host. Because most viruses are not visible from outside a host. Because this is a very rare case of a worm that actually changes the fingerprint of a host.

Re:Am i doing it wrong?

[ThrowAwaySociety]

So how do you use a mouse with a Scottish accent? Curious minds are dying to know.

http://www.youtube.com/watch?v=wzRziK-kZtQ [youtube.com]

Just drop your geek card in the slot by the door as you leave.

Re:i find it so hard

[cbiltcliffe]

I'd say as a rough guess, that 75% of viruses/trojans/malware nowadays turn off Windows Update as part of the infection process.

Somebody gets one of these fake Facebook spams, goes to the site in question to see Amanda Whatserface doing her striptease on stage, downloads Adobe_Player11.exe, so they can see the video, and bam. They're infected.

And before you bitch about them not having up to date antivirus.....I sent this file to virustotal.com a couple of days after I first got one of these spams, and it was detected as a known virus by a grand total of zero scanners.
Two flagged it as a suspicious file, and the rest (37 or so) let it sail on through.

Somebody gets hit with one of these things, and they'll have no A/V, no Auto Updates, and probably no firewall. They won't know it, because they'll also have no Security Center Service.

Or there's the possibility that they got infected, took their machine to a big-box moron to get it fixed, and the idiot in question cleaned the virus, but didn't enable all the disabled services. So again, no firewall, no Auto Updates.

It's not all because they're turned off intentionally.

Re:But not in Germany or UK?

[AliasMarlowe]

Not in the UK, according to the articles that you linked to. The prosecution have to show that you intended to use the tool to commit a crime - possession is not enough. Did you actually read the links that you posted?

Yes, I did. According to the linked article, if you distribute a "hacker tool" that somebody else then uses for an illegal purpose, you're on the hook under UK law. Even if you commit no crime with it.

Re:But not in Germany or UK?

[Builder]

IIRC the actual standard has been reduced to 'could be useful to commit a crime'.

Several people in this country currently have criminal convictions for possessing certain books because they 'may be useful to someone planning a terrorist attack'

Not WERE planning attack. Not were part of a group of known terrorists with known events behind them. Just 'may be useful to someone planning a terrorist attack'.

Trust the law in this country? Hell no!

Re:Wow!

[gzipped_tar]

Assuming you are using BASH, enabling the shopt "dotglob" may be helpful if you want the * glob to expand to dot-files.

Re:i find it so hard

[Anonymous Coward]

On the other hand, turning off system updates entirely is easy.

Yes, you go to Control Panel, Automatic Updates and click "Turn off Automatic Updates". Alternatively, you could click "Download updates for me, but let me choose when to install them", which is on the same dialog.

This is not a UI discovery problem.

Re:Window HOWTO

[prograde]

The scanner needs to connect to port 445 of the target - if it's blocked by a firewall, you'll get a "No resp.". (BTW - links in the GP will also help you getting the scanner running under Linux - I just had to install Impacket and run the scanner)

Re:Window HOWTO

[morcego]

I actually installed both Impacket and Crypto, just to get rid of that warning.

In any case, I'm running this on LANs, so there are no firewalls on the way. I'm not randomly scanning people on the internet. And yes, I am authorized to do this kind of thing on these networks.

Re:It just amazes me

[SatanClauz]

dont admin windows much do you? you're right, you cant MANUALLY run updates, but the auto updates sure as hell get applied! wait... checking any of my 150 windows boxes running as user full time... yep! sure do!

Re:Hmmm...

[txsable]

You haven't been paying attention to the AV vendors for long have you? in 1997 McAfee merged with Network General and became Network Associates (nai.com) which also sold Sniffer. Then, in April 2004, McAfee became McAfee again when NAI tried to sell off the Sniffer product/Network General component (which was purchased by NetScout in November 2004). McAfee continued using the nai.com domain until June 30th of 2004, when archive.org shows nai.com redirecting to mcafee.com for the first time. vil.nai.com has been the Network Associates/McAfee Virus Information Library (and now the more generic "Threat Library") since at least 1999. (Incidentally, the "top 10 virus threats" in Oct 1999 included "Laroux", "Melissa" and "Happy99". My, how far we've come....)

Re:So...

[Sancho]

Looks to me like you just use the smb checker script. If you have the latest source from SVN, omething like this should work:

nmap -sS --script smb-check-vulns.nse -p 139,445 -v -d -P0 -oA outputfilename hostornetworktoscan

Re:So...

[iago-vL]

Hey guys,

I'm the author of that script, and that's exactly right. I posted a full explanation on my blog [skullsecurity.org].

Re:So...

[wiedzmin]

Be VERY careful running it on your network, this is from the NMAP smb-check-vulns.nse script description:

WARNING: These checks are dangerous, and are very likely to bring down a server. These should not be run in a production environment unless you (and, more importantly, the business) understand the risks!

As a system administrator, performing these kinds of checks is crucial, because a lot more damage can be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers, on the other hand, might not want to use this script -- crashing services is not generally a good way of sneaking through a network.

If you set the script parameter 'unsafe', then scripts will run that are almost (or totally) guaranteed to crash a vulnerable system; do NOT specify unsafe in a production environment! And that isn't to say that non-unsafe scripts will not crash a system, they're just less likely to.

MS08-067 -- Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow remote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash systems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a vulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems, 52 crashed.

Re:It just amazes me

[Anonymous Coward]

Automatic updates runs as a system service under the local system account so your computer will automatically receive and install automatic updates even if your login has only restricted rights.

Re:It just amazes me

[Anonymous Coward]

Unless you turn on this option in your group policy:

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Allow non-administrators to receive update notifications.

Set it to enabled and then even your limited users will be able to see that they have updates to install.

Re:So...

[iago-vL]

That's correct. I added a 'safe' parameter last night, since the Connficker check is safe, and have been advocating its use in all my posts (you'll see "script-args=safe=1" in everything). Watch out for that.

And for what it's worth, even if 'safe' is missing, it's only going to crash stuff that isn't patched for MS08-067.

Re:Wow!

[Binestar]

The -f will skip over anything that can't be done, you know.
 
What happens when your HD node is deleted from /dev? I'll answer that for you: No more deleted files. Everything prior to it getting to /dev is gone, but the rest is left. By going directly to the device with DD you'll complete the overwrite.

Nmap 4.85BETA5 just released

[fv]

I'm happy to report that we've just released Nmap 4.85BETA5 with Conficker detection so you can do that scan! The actual recommended command is:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

For more details, see the announcement at http://insecure.org [insecure.org].
-Fyodor