Taming Conficker, the Easy Way

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Re:i find it so hard

[FTWinston]

My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.

But not in Germany or UK?

[AliasMarlowe]

Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck

But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
So if you use nmap to clean your network, you may be open to criminal charges.

or other way..

[orange47]

you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.

Re:So...

[Effugas]

I actually worked with the researchers on this. (This is Dan.)

Re:Wow!

Noone said that network security isn't "bolted on" in UNIX.

But there are other machines which are definately invulnerable to the attack methods used by worms like conficker (typically modifying program flow by injecting executable code and altering address pointers, so the injected code will be executed).

For example, IBM's AS/400 / iSeries 400 / eServer i5 (/ or whatever the name is today) has built-in (hardware-supported) pointer protection and separate address-stack and data-stack.
Actually, that is the reason why the CPUs are sometimes called "65-bit CPUs" instead of "64-bit CPUs" - the 65th bit is a tag flag (in memory, it's stored in the ECC area).

The details can be read in the book "The Inside Story of the IBM iSeries" by Frank G. Soltis.

What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.

Re:Hmmm

[ndixon]

ipc0nfig: ...why not just move the computer clock forward to April 1st, and see what Conficker does.

cdrudge:

For the same reason that a bomb technician doesn't reset the timer to zero just to see what the bomb does. Sure it may be a dud and do nothing, or it may be huge and blow up in their face.

I think ipc0nfig has a fair point - you could run an date-adjusted infected machine in a VM, isolated inside a virtual network, and monitor any disk/network activity.

Of course, you might not know what'll really happen unless you let it phone home, and even then you might not see what will happen on April 1st; but it might give more clues about which external addresses to block.