Slashdot Mirror
Taming Conficker, the Easy Way
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Wow. So this:
IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.
I hate printers.
to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.
Good people go to bed earlier.
"You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.
I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.
You mean like patching the flaw MONTHS before Conficker was released?
What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...
Oh wait...
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
Oh please let that "someone" stand up in the cube next to me. I could use some of that MS reward money right about now...
Oh, and it's gonna be kind of hard to get rich from interviews while occupying a cell in Gitmo. No, I doubt I'm overreacting here, in this day and age, this is an "act of terrorism".
We figured this out on Friday, and got code put together for Monday.
And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.
You can advertise in this sig from as little as £99.99 a month!
So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....
Very crappy post, editors!
My Babylon
People once laughed at the ideas of flight, going to the moon, splitting the atom, and electronic computing itself.
Now we have another accomplishment to add to that list: the evil bit. Science conquers all.
For real, even tho I do not use windows (except for virtualized) I am glad to see real benefits of solid research and quick implementation.
I for one am glad to see that not all of the hard work is being done by the attack squad.
Hug a programmer. Hug one today.
--Shaddup and support your local PBS station Plan for it
Hook, line and sinker. That's what trolls are for.
No actually, the fact that the supposed cure for the disease, or rather remote diagnostic, takes advantage of the fact that Windows by default lets such probes detect _anything_.
The most common infection vector is because people run executables from untrusted sources. And now Tillmann and Felix expect us to download a scanner and run it on our systems ?
Next time someone recommends GTA for driving schools ....
You took that seriously. How lame are you?
If this were really happening, what would you think?
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
So if you use nmap to clean your network, you may be open to criminal charges.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
1. Conficker updates
2. Security researchers scrabble to understand latest Conficker code.
3. Success!
4. Researchers release the info, in detail.
5. Researchers warm themselves in the radiant heat of their own brilliance. Community applauds.
5. Conficker authors read this publically available infomation, learn from their mistakes and fix the problems.
6. Go to 1.
And this circlejerk of will continue until the researchers involved learn put their egos aside and actually do something useful with the information.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
You took that seriously. How lame are you?
You took that seriously. How lame are you?
McAfee Stinger for Conficker located at: http://vil.nai.com/vil/averttools.aspx
you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.
The following comment might be potentially stupid, but why not just move the computer clock forward to April 1st, and see what Conficker does. If it uses a internet time server to verify date, then just have the DNS for internet time server point to an internal time server. No?
(Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.
Never email donotemail@WeAreSpammers.com
Why isn't this the standard method for /all/ virus scanning? Remote scans are the only method which has ever seemed sane to me.. why would you run software to detect if the software you're running has been compromised? That's why I don't run virus scanners: it's pointless.
Give me a program that I can run on a "known good" system (for example, a system which boots off write-once media) and which monitors the local network for suspicious activity. I'll run that one.
-- 'The' Lord and Master Bitman On High, Master Of All
Because most viruses do not change the network behaviour of a host. Because most viruses are not visible from outside a host. Because this is a very rare case of a worm that actually changes the fingerprint of a host.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
I have no mod points, but the links in the actual story have zero information on actually running a scan. I'm scanning my office network right now solely because of this comment.
I thought it was funny, one of the newscasters on 60 minutes said she just got "owned". It's funny since this is the same show Andy "I'm out of touch with reality" Rooney is on.
seriously ? it is named "Malicious Software Removal Tool" ? so we could call it... "ms removal tool".
that's the best name of software coming from microsoft in a long time.
Rich
FWIW:
This works great on machines that don't have windows firewall active. If windows firewall is active, you get a "no response" from the script.
Now that the authors of Conficker know that their infected systems have a different signature on the network, what's to stop them from just plugging that particular hole and picking a new date?
Cinco de Mayo anybody?
If you're gonna be dumb, you gotta be tough.
"You must be logged on as a member of the Administrators group to run the tool."
A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.
Help! Help! I'm being repressed!
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)
It's quite elementary, really: Windows Update sucks. Okay, that probably needs an explanation.
Would you rather:
a) Run Windows Update so Microsoft has backdoor access to update/patch/install software at random, as well as auditing your system for "compliance" and sending you a legal nastygram if you are caught running a "pirate" copy of Windows? Note: The detection algorithm for "Windows Genuine Authentication" has passed numerous false negatives and disabled people's computers before who purchased legitimate copies, -or-
b) Not update, download a software firewall, run a bunch of anti-malware scanners, and use Firefox, -or-
c) Do nothing, because "there's nothing important on my computer anyway."
Microsoft went through a lot of effort to make sure there were tons of unpatched systems out there when they started throwing up "windows genuine" everywhere, and having the average user jump through so many hoops. Then there's the two hour process of installing Service Pack 3. Who wants to waste two hours on a ginormous OS update when they can play WoW some more? And god help you if one of a thousand failure conditions crops up and it dies, telling you to reinstall the entire OS. The average Windows users is caught between knowing their systems are vulnerable and playing a rat race that requires knowledge and process they don't understand to keep their systems secure.
Big surprise when they choose the devil they know.
#fuckbeta #iamslashdot #dicemustdie
Interesting. The site is legit, but.... you would think McAfee would provide these links from a page on their main mcafee.com domain, instead of vil.nai.com (although whois confirms that McAfee does indeed own this domain).
Also, I find it disturbing that McAfee doesn't provide a SSL certificate for this page to confirm the site's identity. Seems to me that this page would be a high-profile target for hijacking, especially considering that most people will blindly download and run the executables that it contains.
"Thanks Dan! We'll be sure to patch this problem in the next Conficker update."
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
10 million computers infected. Self destruct.
dont admin windows much do you? you're right, you cant MANUALLY run updates, but the auto updates sure as hell get applied! wait... checking any of my 150 windows boxes running as user full time... yep! sure do!
Comment removed based on user account deletion
Sure! It goes like this (excerpts from the Cygwin FAQ):
... and ...
;-)
The Cygwin Setup program will prompt you for a "root" directory. The default is C:\cygwin, but you can change it . [Emphasis added]
In the past, there had been genuine bugs that would cause problems for people who installed in C:\, but we believe those are gone now.
So as you can see, it would have gone fine for me if I was foolish enough to use Windows in the first place
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
With Cygwin, / != C:\ ... let me know how it goes.
It works pretty much the same once the rm command works its way down to /cygdrive.
Automatic updates runs as a system service under the local system account so your computer will automatically receive and install automatic updates even if your login has only restricted rights.
Unless you turn on this option in your group policy:
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Allow non-administrators to receive update notifications.
Set it to enabled and then even your limited users will be able to see that they have updates to install.
for Windows server admins who aren't experienced Python users, I put together this quick overview of steps to use scs on a Windows network. http://bobsfieldnotes.blogspot.com/
Could infection be prevented on a clean machine, by just creating the conficker mutexes when starting a machine, before the virus gets a chance? All you'd need is a small tool that would start as early as possible during boot.
This same tool could also be used as a simple test for infection. If the mutexes are already there, it means the machine is infected.
This is not the sig you're looking for.
No, the name 'ms removal tool' was already taken. It can be found on many linux install discs.
You took that seriously. How lame are you?
You took that seriously. How lame are you?
You took that seriously. How lame are you?
if you don't run your system as a local admin there is very little chance that you can get a virus like conflicker. Removing admin rights from users will prevent 99% of spyware and viruses.
Back in the '60s and '70s, when the current "drug war" was getting its start, some municipalities passed "narcotics paraphernalia" laws banning possession of anything that "could be used" for preparing or consuming controlled substances.
Aluminum foil was used to improvise "pipe screens" by lining a pipe bowl or a hole in a toilet paper roll and poking small holes in it with a pin. So these laws ended up banning aluminum foil. (Don't recall if this eventually got them struck down ...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Don't run that tool! It tells you it's Malicious right in its name!
Maybe I'm doing it wrong. For me, this tool is not so quick and easy.
The scanner.py is not giving me hits against infected machines. The only way I get hits is to scan using Stinger from safe mode (safe mode is needed to delete the files).
For the record, of my workstations 90% plus were patched. It was a few workstations that were missed plus a weak password on the rest that got us in trouble.
You can search "conficker" on picasa to seen the screenshots of the scanner.py failing to detect anything on an infected machine. Also, there is no firewall running on this PC.
While technology has certainly changed and the consequences have increased due to a company's online presence, or an individual for that matter, the hype surrounding Conficker reminds me of the infamous Michelangelo Virus doing its deed on March 6. A quick google search revealed an archived memo sent out at Stanford. I'll paste it here as not to /. their webservers unnecessarily; how kind of me. lol!
-- Stanford memo 03/01/1993 --
"NEWS RELEASE
03/01/93
CONTACT: Stanford University News Service (415) 723-****
Michelangelo virus due to strike again March 6
STANFORD -- Employees who use an IBM PC, PS/2 or compatible computer should be aware that there is a small chance their computers have been infected with an infamous computer virus.
The "Michelangelo" virus, which is an especially destructive strain, may erase parts of a user's hard drive. This can happen every March 6, which is the famous artist's birthday, according to security officials in the Stanford Data Center.
The computer must be turned on sometime March 6 for the virus to do any damage. Since March 6 falls on a Saturday this year, the risk of any damage is relatively low, according to Bill Bauriedel, the Data Center's security chief.
However, he said, it is simply good practice to run an anti-virus program periodically to check for the presence of one or more viruses. Michelangelo is only one of more than 700 identified viruses that can infect a computer.
"Even though you may not have the Michelangelo virus, your computer may be infected with something else," Bauriedel said. "While probably not as dangerous as Michelangelo, these other viruses should be disinfected as well - once disinfected, they can't spread from your machine to someone else's machine."
Staffers and faculty who have a Forsythe account and use Samson can download an antivirus program called F-PROT. For instructions on how to perform the download, issue these two commands:
USE WYL.GB.SEC.FPROT and PRINT.
Users without a Forsythe account can exchange a blank floppy for the antivirus program either at the consulting office on the second floor of Sweet Hall or at the Information Security Office in Spruce Hall, room F19.
For more information on matters of computer security, contact ******* at 723-****.
930301Arc3381.html"
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For more details, see the announcement at http://insecure.org.
-Fyodor
Well, I have to give him credit for not 'begging the question'.(could not help myself, sorry) ;-)
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
The last comparison/shootout/review of home/personal use AV software I heard about was touting NOD32 as top dog, with Avast Home and AVG Free as second and third, respectively.*
I do not know if NOD32 has a free for personal use version or not, but both of the others are free for personal use.(both also have paid for business versions that are more net capable)
Have also heard good things about BitDefender.
I have used both Avast and AVG(but not NOD32), and use one of the two on the rare occasion I work on friend's or family's computers. They both have worked well for all.
*This was about a year-year and a half ago. Find a reputable writeup(anantech, tom's hardware, etc. for more current info) and check them out.
update: A quick google check shows BitDefender to be in the top three ranking wherever I check, and NOD32 stays in the top six, with both of the others being in the top ten. BitDefender and NOD32 have free trials, but will set you back $25-40 USD to keep after the trial, AVG and Avast both still have free home versions.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
I was under the impression that AU could raise the privileges of a Non-Admin user? I noticed the option on the N-lite install I was playing with last night.
# cat
Damn, my RAM is full of cats. MEOW!!
Set the date forward to April 1st and see what happens with an infected machine with a packet sniffer? If it goes out to the net to check remote time servers packet sniff to see where its looking and forge answers?
Notification of updates for normal users can be set up via group policies.
That they by default are not informed is the failure. If they were informed, . . .
Because I am lazy and dont feel like digging through the scripts what is posted if a box is found with conficker on it? I got all cleans anyone find any infected?