Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taming Conficker, the Easy Way

Posted by kdawson on from the scanner-lightly dept.

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

9 of 288 comments (clear)

  1. Re:Wow! by fuzzyfuzzyfungus · · Score: 5, Informative

    If only the users who leave their printers unplugged habitually used linux...

    To be fair, you can do something similar in Windows; but it sure isn't the soul of wit.

  2. Re:It just amazes me by Computershack · · Score: 5, Informative

    I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.

    You mean like patching the flaw MONTHS before Conficker was released?

    What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...

    Oh wait...

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  3. Re:i find it so hard by Ralish · · Score: 4, Informative

    In fact, having double checked my information, the security patch that fixes the vulnerability that Conficker exploits was released prior to the creation and subsequent distribution of Conficker.

    So, every single computer out there with a Conficker infection due to the exploit infection route could have been secured if patched. I would bet that would make for a gigantic reduction in the size of the Conficker botnet.

  4. Window HOWTO by Dynamoo · · Score: 5, Informative
    1. Download and install Python 2.6.1: http://www.python.org/ftp/python/2.6.1/python-2.6.1.msi
    2. Download Impacket from http://oss.coresecurity.com/repo/Impacket-stable.zip (or maybe http://pypi.zestsoftware.nl/impacket/ or some other mirror)
    3. Download the scanner from http://iv.cs.uni-bonn.de/uploads/media/scs.zip
    4. Unpack Impacket into a folder, then install Impacket from a command line with c:\python26\python setup.py install
    5. Run the scanner with the command c:\python26\python scs.py [start_ip] [end_ip]

    (Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.

    --
    Never email donotemail@WeAreSpammers.com
  5. Re:Am i doing it wrong? by ThrowAwaySociety · · Score: 4, Informative

    So how do you use a mouse with a Scottish accent? Curious minds are dying to know.

    http://www.youtube.com/watch?v=wzRziK-kZtQ

    Just drop your geek card in the slot by the door as you leave.

  6. Re:Wow! by gzipped_tar · · Score: 4, Informative

    Assuming you are using BASH, enabling the shopt "dotglob" may be helpful if you want the * glob to expand to dot-files.

    --
    Colorless green Cthulhu waits dreaming furiously.
  7. Re:So... by iago-vL · · Score: 4, Informative

    Hey guys,

    I'm the author of that script, and that's exactly right. I posted a full explanation on my blog.

    --
    http://www.skullsecurity.org/blog/
  8. Re:So... by wiedzmin · · Score: 4, Informative
    Be VERY careful running it on your network, this is from the NMAP smb-check-vulns.nse script description:

    WARNING: These checks are dangerous, and are very likely to bring down a server. These should not be run in a production environment unless you (and, more importantly, the business) understand the risks!

    As a system administrator, performing these kinds of checks is crucial, because a lot more damage can be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers, on the other hand, might not want to use this script -- crashing services is not generally a good way of sneaking through a network.

    If you set the script parameter 'unsafe', then scripts will run that are almost (or totally) guaranteed to crash a vulnerable system; do NOT specify unsafe in a production environment! And that isn't to say that non-unsafe scripts will not crash a system, they're just less likely to.

    MS08-067 -- Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow remote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash systems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a vulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems, 52 crashed.

    --
    Bow before me, for I am root.
  9. Nmap 4.85BETA5 just released by fv · · Score: 4, Informative
    I'm happy to report that we've just released Nmap 4.85BETA5 with Conficker detection so you can do that scan! The actual recommended command is:

    nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

    For more details, see the announcement at http://insecure.org.
    -Fyodor