Taming Conficker, the Easy Way 288
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Re:i find it so hard (Score:5, Interesting)
I don't get it ... (Score:2, Interesting)
The most common infection vector is because people run executables from untrusted sources. And now Tillmann and Felix expect us to download a scanner and run it on our systems ?
Next time someone recommends GTA for driving schools ....
Re:Wow! (Score:2, Interesting)
"rm -rf /*" does not remove "/.conficker"
"rm -rf /." (or just "rm -rf /") does.
Re:i find it so hard (Score:3, Interesting)
If this is the aim, why would it make sense for the worm to have a grand activation date, rather than just increasing the size of the botnet as fast as it can? Time is money, and if there are as many infected machines as its thought there are, then this is just wasted opportunity since it was released into the wild.
Genuine question. Maybe in its inactive state it makes it harder to trace and shutdown? But if not, it seems that if the purpose is a botnet it would be better to have it working as such from the get go.
But not in Germany or UK? (Score:5, Interesting)
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172 [slashdot.org]
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223 [slashdot.org]
So if you use nmap to clean your network, you may be open to criminal charges.
Re:i find it so hard (Score:2, Interesting)
Re:Wow! (Score:2, Interesting)
The second biggest part of the problem was not designing network security into the OS from day one, but instead attempting to bolt it on on an OS that has always been designed to be a highly integrated one-size-fits-all solution.
How is "network security" any more (or less) "bolted on" in Windows NT vs UNIX (or Linux) ?
What exactly do you mean by "network security" ?
or other way.. (Score:5, Interesting)
Re:Hmmm (Score:2, Interesting)
Re:Hmmm (Score:3, Interesting)
Sure you can. And add a transparent proxy to change the headers to the false, moved-forward time.
Re:So... (Score:5, Interesting)
I actually worked with the researchers on this. (This is Dan.)
Re:Wow! (Score:4, Interesting)
Noone said that network security isn't "bolted on" in UNIX.
But there are other machines which are definately invulnerable to the attack methods used by worms like conficker (typically modifying program flow by injecting executable code and altering address pointers, so the injected code will be executed).
For example, IBM's AS/400 / iSeries 400 / eServer i5 (/ or whatever the name is today) has built-in (hardware-supported) pointer protection and separate address-stack and data-stack.
Actually, that is the reason why the CPUs are sometimes called "65-bit CPUs" instead of "64-bit CPUs" - the 65th bit is a tag flag (in memory, it's stored in the ECC area).
The details can be read in the book "The Inside Story of the IBM iSeries" by Frank G. Soltis.
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
Re:Hmmm (Score:3, Interesting)
ipc0nfig: ...why not just move the computer clock forward to April 1st, and see what Conficker does.
cdrudge:
For the same reason that a bomb technician doesn't reset the timer to zero just to see what the bomb does. Sure it may be a dud and do nothing, or it may be huge and blow up in their face.
I think ipc0nfig has a fair point - you could run an date-adjusted infected machine in a VM, isolated inside a virtual network, and monitor any disk/network activity.
Of course, you might not know what'll really happen unless you let it phone home, and even then you might not see what will happen on April 1st; but it might give more clues about which external addresses to block.
why so many systems aren't patched (Score:3, Interesting)
It's quite elementary, really: Windows Update sucks. Okay, that probably needs an explanation.
Would you rather:
a) Run Windows Update so Microsoft has backdoor access to update/patch/install software at random, as well as auditing your system for "compliance" and sending you a legal nastygram if you are caught running a "pirate" copy of Windows? Note: The detection algorithm for "Windows Genuine Authentication" has passed numerous false negatives and disabled people's computers before who purchased legitimate copies, -or-
b) Not update, download a software firewall, run a bunch of anti-malware scanners, and use Firefox, -or-
c) Do nothing, because "there's nothing important on my computer anyway."
Microsoft went through a lot of effort to make sure there were tons of unpatched systems out there when they started throwing up "windows genuine" everywhere, and having the average user jump through so many hoops. Then there's the two hour process of installing Service Pack 3. Who wants to waste two hours on a ginormous OS update when they can play WoW some more? And god help you if one of a thousand failure conditions crops up and it dies, telling you to reinstall the entire OS. The average Windows users is caught between knowing their systems are vulnerable and playing a rat race that requires knowledge and process they don't understand to keep their systems secure.
Big surprise when they choose the devil they know.
Re:But not in Germany or UK? (Score:3, Interesting)
Someone I know was personally investigated by the local police as possible dope growers (some years ago, when it was still entirely illegal in the state of California, where all this transpired) because they were known to possess shovels. Not a joke. The police came and inspected the bamboo grove that apparently triggered the inspection... This is not a third-hand story, either. Or even second-hand, to me :)
Re:i find it so hard (Score:3, Interesting)
you are probably 100% right that you can still get security updates through AU but it appears that theres a lot of PC's with automatic updates turned off or there wouldn't be such a large problem.
Joe User, legal or not, doesn't want some automated process going through his details, after all it could get him in trouble.
The reality of the policy doesn't matter since WGA started, it's the perception, thats kept a lot of people away from windows updates.
Even people with genuine licensed windows quite often have genuine not legal copies of office and although windows is legal for them they still won't touch the microsoft website in case they detect the illegal install of office.
Has activation and license verification done anything effective to reduce the number of pirated installs?
Re:Wow! (Score:2, Interesting)
What happens when your HD node is deleted from /dev?
It'll disappear from the visible filesystem and have no effect whatsoever on an `rm` command that deletes it, which will happily go on to kill the rest of your directory tree.