Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taming Conficker, the Easy Way

Posted by kdawson on from the scanner-lightly dept.

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

5 of 288 comments (clear)

  1. Re:i find it so hard by FTWinston · · Score: 4, Interesting

    My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.

  2. But not in Germany or UK? by AliasMarlowe · · Score: 4, Interesting

    Which would happen once for every node on the network, would become this:
    root@admin:~$ nmap 192.168.0.* -confickercheck

    But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
    http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
    http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
    So if you use nmap to clean your network, you may be open to criminal charges.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  3. or other way.. by orange47 · · Score: 5, Interesting

    you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.

  4. Re:So... by Effugas · · Score: 5, Interesting

    I actually worked with the researchers on this. (This is Dan.)

  5. Re:Wow! by Anonymous Coward · · Score: 4, Interesting

    Noone said that network security isn't "bolted on" in UNIX.

    But there are other machines which are definately invulnerable to the attack methods used by worms like conficker (typically modifying program flow by injecting executable code and altering address pointers, so the injected code will be executed).

    For example, IBM's AS/400 / iSeries 400 / eServer i5 (/ or whatever the name is today) has built-in (hardware-supported) pointer protection and separate address-stack and data-stack.
    Actually, that is the reason why the CPUs are sometimes called "65-bit CPUs" instead of "64-bit CPUs" - the 65th bit is a tag flag (in memory, it's stored in the ECC area).

    The details can be read in the book "The Inside Story of the IBM iSeries" by Frank G. Soltis.

    What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.