Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taming Conficker, the Easy Way

Posted by kdawson on from the scanner-lightly dept.

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

3 of 288 comments (clear)

  1. Re:Wow! by fuzzyfuzzyfungus · · Score: 5, Informative

    If only the users who leave their printers unplugged habitually used linux...

    To be fair, you can do something similar in Windows; but it sure isn't the soul of wit.

  2. Re:It just amazes me by Computershack · · Score: 5, Informative

    I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.

    You mean like patching the flaw MONTHS before Conficker was released?

    What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...

    Oh wait...

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  3. Window HOWTO by Dynamoo · · Score: 5, Informative
    1. Download and install Python 2.6.1: http://www.python.org/ftp/python/2.6.1/python-2.6.1.msi
    2. Download Impacket from http://oss.coresecurity.com/repo/Impacket-stable.zip (or maybe http://pypi.zestsoftware.nl/impacket/ or some other mirror)
    3. Download the scanner from http://iv.cs.uni-bonn.de/uploads/media/scs.zip
    4. Unpack Impacket into a folder, then install Impacket from a command line with c:\python26\python setup.py install
    5. Run the scanner with the command c:\python26\python scs.py [start_ip] [end_ip]

    (Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.

    --
    Never email donotemail@WeAreSpammers.com