Taming Conficker, the Easy Way 288
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Wow! (Score:5, Insightful)
Wow. So this:
IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.
Re:i find it so hard (Score:5, Insightful)
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
Re:i find it so hard (Score:5, Insightful)
First, most of the "what will conficker do?" possibilities have the distinct potential to be unpleasant for everybody. We are almost definitely looking at extra spam, or worse.
Second, and ultimately more important, is the fact that Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions. That is Bad.
Sure, actually caring about the newbs, as they do the same stupid things over and over, gets really old really fast; but, when they visit the internet, I want them to have a good time because we are well past the point where they will just leave if they don't like it. They'll vote for a bunch of police powers and be back. Nobody wants that.
Re:i find it so hard (Score:5, Insightful)
to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.
A few things:
1. If you have 1 million+ infected hosts, and all the bandwidth that these hosts have access to, and can use these resources to do whatever you please, you pose a serious threat to many groups with a presence on the internet and an interest in its wellbeing. Do I really need to spell it out to you why it's important to care?
2. No, the problem in this case stems from people not patching their systems when security updates are made available. Microsoft made the patch available _LONG_ before Conficker was even a problem. Microsoft released the patch on 15th October 2008. What does this tell you? It means that effectively 99%+ of infected machines are infected because they weren't patched, either due to ignorance, sloth, or a combination of.
If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too. Fortunately, most of the OSS community knows that security patches are important and need to be applied, not ignored. Elements of the Windows world don't share this culture, and it needs to change, so that worms like Conficker aren't able to thrive.
Re:Wow! (Score:4, Insightful)
I don't know about you, but on my network I run a centrally administered virus scanner. It seems quite a bit easier than asking every user!
Re:Wow! (Score:4, Insightful)
If only all malware was this easy to detect. Unfortunately, despite the proliferation of automatic virus scanners, "firewalls," and various other techniques, infections still occur.
The main problem is the current monoculture in desktop operating systems. No matter what you think of Microsoft, no matter what you think of Windows, you have to admit that having 90% marketshare of a single OS on desktop operating systems is the biggest part of the problem. The second biggest part of the problem was not designing network security into the OS from day one, but instead attempting to bolt it on on an OS that has always been designed to be a highly integrated one-size-fits-all solution.
Re:i find it so hard (Score:5, Insightful)
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
Not really... we can be reasonably sure that Conficker is designed to do what the previous five generations of worms did, only more effectively: provide nodes of a botnet for hire, so criminals can send spam, threaten DDOS attacks etc. It's annoying, but the internet lives on. Why would the purpose suddenly become radically different just because the implementation has been improved?
Oh please confess... (Score:3, Insightful)
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
Oh please let that "someone" stand up in the cube next to me. I could use some of that MS reward money right about now...
Oh, and it's gonna be kind of hard to get rich from interviews while occupying a cell in Gitmo. No, I doubt I'm overreacting here, in this day and age, this is an "act of terrorism".
So... (Score:5, Insightful)
So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....
Very crappy post, editors!
Re:So... (Score:5, Insightful)
The technical details are not complicated -- Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version -- but I'll let Tillmann and Felix describe this in full in their "Know Your Enemy" paper, due out any day now with all sorts of interesting observations about this annoying piece of code. (We didn't think it made sense to hold up the scanner while finishing up a few final edits on the paper.)
Re:Wow! (Score:3, Insightful)
Somehow I think that command would selectively work on the uninfected machines, and fail on the infected ones.
Re:But not in Germany or UK? (Score:4, Insightful)
Not in the UK, according to the articles that you linked to. The prosecution have to show that you intended to use the tool to commit a crime - possession is not enough. Did you actually read the links that you posted?
Re:Oh please confess... (Score:2, Insightful)
Re:i find it so hard (Score:5, Insightful)
When you've gone to make some coffee and you come back to the message "An important update required a restart of your computer." the first question you ask is "Where did my work go?" The second question is "How do I stop that happening again?"
Re:Am i doing it wrong? (Score:4, Insightful)
Much like the rest of the English speaking world, really.
Re:The problem... (Score:2, Insightful)
Whack-a-Mole? (Score:2, Insightful)
Cinco de Mayo anybody?
Re:It just amazes me (Score:5, Insightful)
"You must be logged on as a member of the Administrators group to run the tool."
A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.
Better, yes, but no solution for PEBKAC (Score:3, Insightful)
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)
Re:i find it so hard (Score:1, Insightful)
Really, to be honest, it isn't MS's responsibility to ensure that your illegal software works and is secure, that is your problem. MS isn't really fucking anyone over by not offering updates to pirate copies, you never paid them, so they don't give you anything.
Ho hum. The point is that everybody, including all MS's *paying* customers, suffer from the effects of the illegal installs not being patched - these PCs will be spambots (affects everybody) or launching DDos attacks (affects the attacked site and its customers even if *they* are all legal and patched). The owners of the infected machines may not even notice they are affected so they may suffer *less* than some of the legal/patched machine owners.
Re:Hmmm (Score:2, Insightful)
The following comment might be potentially stupid, but why not just move the computer clock forward to April 1st, and see what Conficker does.
In that sense we already know what will happen. Computers infected with Conficker will get a new update. The problem is, it uses a routine which generates 50 000 different host names, many of which are legitimate, and tries to download updates from each of them. The Conficker owner will have updates ready on some of those servers, so what we don't know is what that update contains. We can probably be sure it will contain a fix for the part that makes it detectable remotely, though.
Re:i find it so hard (Score:5, Insightful)
Microsoft distributes security updates to _ALL_ editions of Windows that are currently maintained irrespective of the legality of the license. However, if you are not running a legal license, you can only receive updates through Automatic Updates, limited purely to security updates. Use of Windows/Microsoft Update and/or the downloading of non-security updates requires a valid license. The reasoning for this is to prevent exactly what you accuse Microsoft of not doing, reducing the risk of large viral/worm outbreaks and the impact of such outbreaks on Windows users, particularly those with legal licenses. Even if you completely fail WGA validation, you still will receive security updates through Automatic Updates.
Ideally, I'd prefer MS to permit security updates through the WU/MU frontend even if an invalid license is detected. I'm not sure what error message is displayed and if it prompts for Automatic Updates to be enabled or informs the user that they can still receive security updates through AU. However, the point remains that MS still permits a legal avenue of obtaining such updates, despite running an invalid license, at THEIR cost of distributing such updates.
There is no excuse for not being patched.
Re:i find it so hard (Score:4, Insightful)
This is much like the "linux uses a command line, so it's better. I don't care if you don't want to learn arcane syntax".
Windows is hard to configure correctly. If you don't know the magic registry line, or which utility buried in the system folders to use, there's no way in hell you can make the fine-grained adjustment not to automatically restart. On the other hand, turning off system updates entirely is easy. I'd count the clicks if I had a windows box available, but I guarantee it's not that many.
Reply from Conficker authors (Score:3, Insightful)
"Thanks Dan! We'll be sure to patch this problem in the next Conficker update."
Re:Wow! (Score:3, Insightful)
Actually, most infections today occur thanks to social engineering. The biggest liability is still what's between the keyboard and the chair.