Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Networking The Internet

Using Conficker's Tricks To Root Out Infections 117

iago-vL writes "Despite having their domain blacklisted by Conficker, the folks at Nmap have released version 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer-to-peer network! By sending encrypted messages to a suspect host, the tools will get Conficker.C and higher to reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last method that we discussed. More information from the author is available, as well as a download for the new release (or, if you're a Conficker refugee, try a mirror instead)."
This discussion has been archived. No new comments can be posted.

Using Conficker's Tricks To Root Out Infections

Comments Filter:
  • Am I the only one... (Score:5, Interesting)

    by Bicx ( 1042846 ) on Wednesday April 22, 2009 @08:31AM (#27673957)
    that thinks Conficker is actually really cool? I mean, damage aside, it's pretty darn impressive.
    • by Rogerborg ( 306625 ) on Wednesday April 22, 2009 @08:34AM (#27673975) Homepage
      Sharks are pretty cool too, right up to the point where they start chewing on your leg. I guess it takes distance to gain perspective.
      • by value_added ( 719364 ) on Wednesday April 22, 2009 @08:53AM (#27674167)

        Sharks are pretty cool too, right up to the point where they start chewing on your leg.

        I'd wager that if you're a shark, the "chewing on your leg" part would still be cool.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Is this where the saying "Good from far, far from good" comes into play?

      • Re: (Score:3, Insightful)

        by DomNF15 ( 1529309 )
        I think I'll join the kick in nads faction - what would have been really cool is if the Conficker author had used his talent for something constructive, not destructive. I'm sure any IT professional who has spent hours dealing with the fallout of Conficker will agree, as I personally spent a good amount of time rebuilding machines that got infected.
        • by Binestar ( 28861 ) on Wednesday April 22, 2009 @09:05AM (#27674289) Homepage

          Seems like you should have spent a small amount of time patching the machines when the security updates were released instead of spending a good amount of time rebuilding them.

          • Re: (Score:1, Insightful)

            by Anonymous Coward

            Yeah because "IT Professional" means he has (and has always had) full control over all the machines he touches. He couldn't, i don't know, fix customers broken computers as (part of) his job.

            • by Binestar ( 28861 )

              If he's in the Geeksquad, I can see it not being his fault. It also keeps him in a job, and I can definately see a love/hate relation his there. But then, he claimed to be an "IT Professional" and I know that most people who claim to be an "IT Professional" mean they install/admin/maintain computers for a business. If said "IT Professional" doesn't have the pull to make sure a sane security policy is in place, then they get what they deserve and should use this instance to push through a sane security po

              • Ok so it doesn't apply to the current round of updates, but I used to admin a server that couldn't be upgraded to 2000 SP4 - trying to do so would cause irreparable damage (Full restore from backup, every single time). It's one thing to abuse an admin for not applying a patch, it's another to be that admin and making sure that adding it will work ok. The only sane security policy in a situation like that is protecting the internal network, but you can't protect a file server from an SMB attack if you need i
                • by Binestar ( 28861 ) on Wednesday April 22, 2009 @09:53AM (#27674769) Homepage

                  Ok so it doesn't apply to the current round of updates, but I used to admin a server that couldn't be upgraded to 2000 SP4 - trying to do so would cause irreparable damage (Full restore from backup, every single time). It's one thing to abuse an admin for not applying a patch, it's another to be that admin and making sure that adding it will work ok. The only sane security policy in a situation like that is protecting the internal network, but you can't protect a file server from an SMB attack if you need it to be a file server - and if you can't patch it for whatever reason......

                  If you can't patch it for some reason you fix the reason the patch fails. If that involves a server upgrade to 2003, then so be it. Hell, you mentioned it's an SMB attack and you can't protect against that if you're a file server. While true in a sense, you *can* protect against it by making sure all the non-file servers on the network aren't vulnerable. Make sure you don't use that machine for anything other than the applications you need (certainly don't use it as a terminal server as well). Have a security policy in place that makes it so you can't add vulnerable computers to the network, have a firewall between the company and the internet, etc.

                  This is something people don't understand until it happens to them, but security is serious business, if you have a server that has a must have application on it and you don't keep that thing #1: Backed up, #2: Up to date with security, you are just waiting for either data loss or time loss on the server.

                  If you can't afford to replace a server in that condition, then you likely can't afford the IT professional you hired to run it.

                  Hardware is inexpensive, especially considering you're running on Windows 2000 pre-SP4, you can get a low end server as a replacement and it'll be a very good upgrade. That's not even considering if you can replace with something other than windows or not!

                  • Re: (Score:1, Insightful)

                    by kirillian ( 1437647 )
                    I'm glad, Binestar, that you have a boss that gives you a large enough budget to do so...or that you make your own budget. It's nice to be in a comfortable situation like that. However, if you hadn't noticed, in today's current economy, the CEO's buy personal jets with the IT department's security budget and the lawyers dictate how everyone spends their money. Being an IT Professional means trying to do an impossible job with no manpower and no budget in most companies...personally...my boss wastes thousand
                    • in today's current economy, the CEO's buy personal jets with the IT department's security budget

                      No, they buy personal jets with TARP funds.

                    • I was under the impression that they used the TARP funds to pay for their personal vacations, I mean, retreats where they discussed how they were going to blow the rest of their money...
                  • by Andy Dodd ( 701 )

                    Sometimes there are cases where you're using a no-longer-maintained software tool that itself does not work on newer Windows version.

                    At work we have a Windows NT machine that performs one specific function, the software that performs this function fails on Win2k/XP/Vista - it's THAT old and it's unmaintained.

                    As a result that machine is firewalled off from the rest of the network.

                    • by Binestar ( 28861 )
                      I bet that machine also isn't getting infected with Conficker because you handled security in this situation properly.
          • Re: (Score:3, Insightful)

            by DittoBox ( 978894 )

            Some security updates can break poorly written "Enterprise" software. The kind that PHBs love.

            If they hadn't been fully tested with all the "Enterprise" software then he'd be utterly screwed if there were any problems.

            • Some security updates can break poorly written "Enterprise" software.

              You do realize that Star Trek was fictional, right?

              • by cp.tar ( 871488 )

                Some security updates can break poorly written "Enterprise" software.

                You do realize that Star Trek was fictional, right?

                ... but now it's true?

                • by lennier ( 44736 )

                  Some security updates can break poorly written "Enterprise" software.

                  You do realize that Star Trek was fictional, right?

                  ... but now it's true?

                  Every second alien ship would take over the computer just by looking at it... yep, an eerily accurate prediction.

                  • by cp.tar ( 871488 )

                    Every second alien ship would take over the computer just by looking at it... yep, an eerily accurate prediction.

                    Now, is it because Open Source won, or because Microsoft won?

          • Re: (Score:2, Informative)

            by DomNF15 ( 1529309 )
            When I get phone calls from people asking me to fix their Conficker infected PCs, my first comment to them isn't "Told you so! Seems like you should have spent a small amount of time patching your machine". Not only would that be bad business, but most people in that situation don't understand the fundamentals at work here. If they did, I wouldn't be getting calls in the first place. That's where I come in, fix/configure their PC appropriately, and educate them as best I can. Telling me I should have pat
        • I think I'll join the kick in nads faction - what would have been really cool is if the Conficker author had used his talent for something constructive, not destructive.

          Evil likely pays better. Though the retirement plan sucks.

          • it doesn't land you in jail, or has the potential prospect of landing you in jail. If there is even the possibility of going to jail, then for me, it doesn't pay. There's already enough to worry about aside from dropping the soap...
          • Yeah, like the idea I had years ago. Write "Viruses" that act like antiviruses .. which remove or disable bad code after asking the user permission. There are all kinds of things that can be done to help people instead of hurt them or ruin their lives. I put those who write malware in the same class as people who poison a water supply or taking potshots at people with a scope rifle. They are playing with people's lives by creating havoc. How many companies went under or how many people lost their jobs bec
        • by Ilgaz ( 86384 )

          Ever wonder how will people act when they see a real mafia guy/boss in their real life and have to deal with him? I mean the people buying "The Godfather Collection" or "The Sopranos"?

          Just imagine what can a guy like Tony Soprano can achieve in legit business as he can manage thousands of psychopaths for his own good, on the street.

          And, why doesn't Hollywood make a trilogy like "Mother Theresa"? Because nobody would watch it :) People like the evil, watching the evil I mean.

      • Lawyers are pretty cool too, right up to the point where they start suing on your ass. I guess it takes distance to gain perspective.

        Fixed it for you

      • Surely what they are doing is illegal.. DMCA & copyright in general. The conficker source has been posted online: http://mtc.sri.com/Conficker/contrib/#example-code [sri.com] , and I bet they didn't get written permission either.

        Lucky the conficker authors aren't more like the RIAA.
        • That's not the conficker source, that's merely source that perform the same actions as a subset of conficker. You do bring up the interesting point that as its difficult for a virus maker to copyright code, does that make most viruses are public domain?

          • Yes sadly I hadn't fully looked at the page before I pressed submit and the link had suggested that it was the fully code.

            I'd love to see the court case whereby a virus writer tried to assert his copyright, or DMCA on methods of disabling his code.
        • Why are they publishing source code for malware? That's like someone opening a vault of guns and inviting everyone to to come get one. I refuse to look at code to make a virus for the same reason I don't go looking to learn how to make a bomb ... I am not interested in harming others. They should not be publishing code to malware because some dunderhead will emulate it and make his own malware and swath of destruction. Why did you include that link?
          • It was for reference, and as was noted above, it is actually not the complete code, just the segment for port generation.

            Know thy enemy...
      • I guess it takes distance to gain perspective.

        Distance or some simple precautions.

    • I totally agree. Conficker is really kind of a marvel, and for a long time I couldn't decide whether I'd want to shake the author's hand, or kick him square in the nads. Though honestly I think some of the media drama helped.
      • by fuzzyfuzzyfungus ( 1223518 ) on Wednesday April 22, 2009 @08:49AM (#27674123) Journal
        You have to have decent balance; but there is nothing stopping you from doing both. In fact, a friendly overture often puts the target at ease, making them easier to hit.
        • by Lumpy ( 12016 )

          I can, GeekSquad usually means drooling moron. I regularly fix GeekSquad screwups for customers. Hell 9 times out of 10 the customers computer is screwed up more after coming back from the IneptSquad.

          • I know a woman who wanted a modem installed in her system (this was about 5 years ago). She bought the modem, but couldn't figure out how to install the drivers. She called GeekSquad and they sent over one of their drooling morons. He proceeded to go into her computer room, close the door and was in there for 3 1/2 hours. He eventually came out and handed her a bill for 3 1/2 hours labor and traveling charges - it was just under $300 IIRC. To install a $20 modem. I told her she probably could have bought a
      • by Shrike82 ( 1471633 ) on Wednesday April 22, 2009 @08:50AM (#27674135)
        You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.

        Then you'd procede to nad-kicking.
        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Wednesday April 22, 2009 @09:13AM (#27674357)
          Comment removed based on user account deletion
          • Yeah, I probably should have thought of a better example. You get the idea though, things are impressive until they bite you on the arse.
          • by Lumpy ( 12016 )

            I prefer kicking in the NAD's the executive at that bank that decided to NOT issue all users SecureID keyfobs for their logins. conflicker can capture your login details all day long, if they dont have the secureID information they cant get logged in.

            Actually considering today's economy, I think just kicking any bank executive in the Nuts is a perfectly good thing to do.

          • That's the wrong way to do it. That's a built-in DoS vulnerability. You should NEVER auto-lockout accounts. The frequency between authentication attempts should be increased with every failed attempt, and multiple failed attempts should alert security personnel (who may decide to block the IP address causing trouble).

            Auto-lockout is BAD BAD BAD. I don't care that it's the default config for Windows. You use it, you fail.

        • by maxume ( 22995 )

          If my bank failed to prevent a brute force attack, I would find their head of security and kick him in the nads.

          Somewhere around 25 failed attempts (but probably far less than that), security really becomes more of a concern than convenience.

      • by Anonymous Coward
        Shake his nads?
        • by Trikki Nikki! ( 1516301 ) on Wednesday April 22, 2009 @09:38AM (#27674619)
          I would just like to say that I read Slashdot at work, and in the future I would appreciate if you people could stop posting comments that cause me to giggle uncontrollably and thus urinate in my cubicle. It has become a great concern to my boss, as I am unable to explain the real reason behind my lack of bladder control. Thanks in advance.
    • Re: (Score:3, Interesting)

      by myxiplx ( 906307 )

      Yup, damned impressive worm, if you read some of the detailed writeups it really highlights just how professional these things are now.

      It's doing us the world of good here - we've got pretty good security already, and getting budget for the next set of steps I want to take should be a whole lot easier now. All I'm having to do is point out just how widely Conficker spread, show some of the big names it hit, and then point out just how long it took them to clean their networks after the fact.

      All of a sudden

    • You are not alone. I, too, am quite impressed by the efforts of the programmers.

    • I was dealing with an infected system, so I read as much about conficker as I could. Between the multiple infection vectors and the p2p network it sets up to update itself from the cloud and the ridiculous amount of effort required (in some cases) to remove it and patch the system without reinfection, I couldn't help but think of skynet
    • by ash211 ( 1177227 )

      No, you're not :)

      It's astounding how the group that produces and supports Conficker can do so many things correctly, from cryptographically signed updates distributed P2P to blocking cleaning software and DNS access to antivirus vendors, it's pretty spectacular.

      They definitely get the easy way out though, with such a narrowly defined scope. Without having to mess with users' input, GUIs, and all sorts of other peculiarities, it's a lot easier to get your code well-secured with malware than if you were writ

  • Protocol (Score:2, Interesting)

    by s1lverl0rd ( 1382241 )

    What if Conficker D changes its 'protocol' and marks every computer that sends an 'old message' as either a host that needs updating or a nmapping attacker/next victim?

  • Or... (Score:2, Interesting)

    by Anonymous Coward

    Easiest way to detect if you're infected: see if you can reach nmap.org

    • Re: (Score:3, Informative)

      nmap can scan an entire network though, this is good news, especially if your pen testing and you find the network is full to the brim with bots.

  • Clever but... (Score:5, Insightful)

    by Shrike82 ( 1471633 ) on Wednesday April 22, 2009 @08:38AM (#27674039)
    Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it. We already established that the worm exploits a vulnerability that was patched before its realease, and we've speculated that therefore it's mainly affecting users who are clueless about security, and therefore unlikely to even realise they have a problem?

    From TFA:

    To scan you network quickly for Conficker infections before the next variant breaks this new techinque, we recommend this command: nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]

    Now forgive me but people like my parents (running Windows 98 until last year, now on XP) with no idea about security, no anti-virus scanner (despite my lectures over the phone) and no idea what the symptoms of a virus, worm or other malware, are not going to find this information, nor know what to do with it if they did.

    Computing professionals might have little trouble detecting and removing Conficker, or are safe in the knowledge that they were protected before its release, but we'll still have to deal with the consequences of a botnet comprised of infected computers belonging to people with little or no technical computer knowledge.

    • Re:Clever but... (Score:4, Insightful)

      by flyingfsck ( 986395 ) on Wednesday April 22, 2009 @08:47AM (#27674115)
      Clearly, your parents don't have a problem. They have a child that can fix things for them. On the other hand, you have a problem, so you should install a reverse VNC client on their machine so they can connect to you for support.
      • Clearly, your parents don't have a problem. They have a child that can fix things for them.

        Sadly for them they raised a lazy and selfish child, and I can't be bothered to manage their computer's security for them, even remotely. At some point my Dad's love of naked chicks will land him in trouble, as there's only so many "Free p0rn" e-mails you can open before something nasty gets you.

    • Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it.

      How can you post a question without a question mark. Does this confuse your brain.

    • by 0racle ( 667029 )
      HINT: NMAP and related tools might not be aimed at people like your parents.

      You're talking about a user education problem, this is an article about a tool for IT professionals.
      • I know the article and others like it aren't aimed at clueless users, in fact I thought my post made that pretty clear. My point was that no matter how many clever solutions are created we're still going to be stuck with a sizeable array of computers that can be used for evil-doing, until an automatic detection and removal tool that can be simultaneously delivered and run on pretty much every infected machine at the same time is created.

        And I think we're all aware of how likely to happen that is...
    • Re: (Score:3, Informative)

      The nmap based tools obviously aren't the right tool for the "clueless parents/noobs/whatever" case. If you have a large number of machines to check and at least one competent person, use nmap. If you need to test a noob's box over the phone, just have them open the Conficker eyechart [confickerw...ggroup.org] and tell you whether the images load or not.
      • by maxume ( 22995 )

        A couple of weeks ago, that site took the entertaining step of being down for some reason other than Conficker.

        • but google wont let you down! the cache [209.85.229.132] (link will change, but you can just Google the url for a new one), because the top 6 images are remotely hosted it will still work while the actual server is being ddosd and i doubt that the conficker guys are going to take down google.

    • That's advice on how to automate scanning a large network of machines for infections. There's a trivial method for confirming that Conficker is present on a machine if you don't mind spending five minutes in front of it typing in URLs, and tools to remove it quite easily.
    • Re: (Score:3, Insightful)

      by ukyoCE ( 106879 )

      I don't think the story is targeted at parents. It's targeted at sysadmins trying to clean Conficker off their network. Your parents won't run it, but perhaps Comcast will run it and get your parents fixed up. Or your parents' sysadmin at work will run it and fix their work computer.

      It's kind of silly to expect TFA is targeted at "your parents" when it's using nmap to scan a network...

      • It's kind of silly to expect TFA is targeted at "your parents" when it's using nmap to scan a network...

        Indeed, I should have been clearer in my post. What I meant to say was along the lines of "people like my parents, if their PC gets infected, are unlikely to ever remove the worm, and it'll be on their machine until the day they throw it out and buy a new one".

        Bottom line: a pretty big botnet exists, and despite numerous clever solutions that can help clean it off large networks quickly there will still be a lot of PCs infected for the foreseeable future.

    • Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it.

      Maybe yes, maybe nooo. I have a legit copy of windows XP at home (OEM, came with my computer). But i refuse to install WGA. So I am not sure if i get those patches (the windows update website doesn't work for me, however, eventually I get updates somehow). Also, i am not going to find all these hotfixes an appling them manually (my time is too valueable for this kind of shit).

      Because this is my gaming computer, i do not care much since i hardly ever boot into windows anymore and its the only windows install

    • by Ilgaz ( 86384 )

      Can you at least send them to http://housecall.antivirus.com/ [antivirus.com] ? It may find it and clean it. If they can't reach there, they could be infected, old time tricks like using hex url etc. may help.
      Now what we need is, ActiveX like installing antivirus (not joking) which will install with minimum user interaction. Housecall from Trend is a great favour to newbie users, especially after they got rid of "pay us to clean it" scheme but... It is still not a real antivirus to watch the system. It seems Kaspersky guys

  • Nmap? (Score:2, Interesting)

    by xtracto ( 837672 )

    Isn't the guy who created nmap active on slashdot? (fyodor or something like that?)

  • to kick Conficker's ass like in Terminator:SCC we have John Henry to fight Skynet...
  • Curious Yellow [blanu.net] here we come...
  • I have discovered that almost all of the computers infected with Conficker apparently come with a sticker on the front for ready identification. It has a flag shape divided into red, green, blue and yellow quarters. If you have this flag sticker you might be at risk!

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...