Slashdot Mirror
Taming Conficker, the Easy Way
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Wow. So this:
IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.
I hate printers.
to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.
Good people go to bed earlier.
I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.
"You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
Oh please let that "someone" stand up in the cube next to me. I could use some of that MS reward money right about now...
Oh, and it's gonna be kind of hard to get rich from interviews while occupying a cell in Gitmo. No, I doubt I'm overreacting here, in this day and age, this is an "act of terrorism".
We figured this out on Friday, and got code put together for Monday.
And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.
You can advertise in this sig from as little as £99.99 a month!
So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....
Very crappy post, editors!
My Babylon
People once laughed at the ideas of flight, going to the moon, splitting the atom, and electronic computing itself.
Now we have another accomplishment to add to that list: the evil bit. Science conquers all.
For real, even tho I do not use windows (except for virtualized) I am glad to see real benefits of solid research and quick implementation.
I for one am glad to see that not all of the hard work is being done by the attack squad.
Hug a programmer. Hug one today.
--Shaddup and support your local PBS station Plan for it
EFNet seRvers.
The most common infection vector is because people run executables from untrusted sources. And now Tillmann and Felix expect us to download a scanner and run it on our systems ?
Next time someone recommends GTA for driving schools ....
You took that seriously. How lame are you?
If this were really happening, what would you think?
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
So if you use nmap to clean your network, you may be open to criminal charges.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
1. Conficker updates
2. Security researchers scrabble to understand latest Conficker code.
3. Success!
4. Researchers release the info, in detail.
5. Researchers warm themselves in the radiant heat of their own brilliance. Community applauds.
5. Conficker authors read this publically available infomation, learn from their mistakes and fix the problems.
6. Go to 1.
And this circlejerk of will continue until the researchers involved learn put their egos aside and actually do something useful with the information.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
So now we have the executive branch of the government forcing companies to fire their CEOs, while the knuckleheads in Congress who created this financial mess through extreme incompetence or deliberate malice by mucking with the home mortgage industry cheer wildly! Granted, GM isn't exactly doing great, but is nobody concerned that Obama snaps his fingers and a PRIVATE company does his bidding? Everyone agrees that this was pure political theater to make additional government bail-out money to GM more palatable to the public. No real change will be forthcoming. Wagoner's replacement was already the heir-apparent, and stated that they'd continue on as planned. If you want real change, then you have to replace the incestuous board of directors.
How long until Obama starts firing CEOs who don't agree with him politically or who don't funnel money to his cronies through his liberal agitator group ACORN?
You took that seriously. How lame are you?
You took that seriously. How lame are you?
McAfee Stinger for Conficker located at: http://vil.nai.com/vil/averttools.aspx
you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.
The following comment might be potentially stupid, but why not just move the computer clock forward to April 1st, and see what Conficker does. If it uses a internet time server to verify date, then just have the DNS for internet time server point to an internal time server. No?
(Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.
Never email donotemail@WeAreSpammers.com
Why isn't this the standard method for /all/ virus scanning? Remote scans are the only method which has ever seemed sane to me.. why would you run software to detect if the software you're running has been compromised? That's why I don't run virus scanners: it's pointless.
Give me a program that I can run on a "known good" system (for example, a system which boots off write-once media) and which monitors the local network for suspicious activity. I'll run that one.
-- 'The' Lord and Master Bitman On High, Master Of All
Because most viruses do not change the network behaviour of a host. Because most viruses are not visible from outside a host. Because this is a very rare case of a worm that actually changes the fingerprint of a host.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
I have no mod points, but the links in the actual story have zero information on actually running a scan. I'm scanning my office network right now solely because of this comment.
I thought it was funny, one of the newscasters on 60 minutes said she just got "owned". It's funny since this is the same show Andy "I'm out of touch with reality" Rooney is on.
FWIW:
This works great on machines that don't have windows firewall active. If windows firewall is active, you get a "no response" from the script.
Now that the authors of Conficker know that their infected systems have a different signature on the network, what's to stop them from just plugging that particular hole and picking a new date?
Cinco de Mayo anybody?
If you're gonna be dumb, you gotta be tough.
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)
It's quite elementary, really: Windows Update sucks. Okay, that probably needs an explanation.
Would you rather:
a) Run Windows Update so Microsoft has backdoor access to update/patch/install software at random, as well as auditing your system for "compliance" and sending you a legal nastygram if you are caught running a "pirate" copy of Windows? Note: The detection algorithm for "Windows Genuine Authentication" has passed numerous false negatives and disabled people's computers before who purchased legitimate copies, -or-
b) Not update, download a software firewall, run a bunch of anti-malware scanners, and use Firefox, -or-
c) Do nothing, because "there's nothing important on my computer anyway."
Microsoft went through a lot of effort to make sure there were tons of unpatched systems out there when they started throwing up "windows genuine" everywhere, and having the average user jump through so many hoops. Then there's the two hour process of installing Service Pack 3. Who wants to waste two hours on a ginormous OS update when they can play WoW some more? And god help you if one of a thousand failure conditions crops up and it dies, telling you to reinstall the entire OS. The average Windows users is caught between knowing their systems are vulnerable and playing a rat race that requires knowledge and process they don't understand to keep their systems secure.
Big surprise when they choose the devil they know.
#fuckbeta #iamslashdot #dicemustdie
Interesting. The site is legit, but.... you would think McAfee would provide these links from a page on their main mcafee.com domain, instead of vil.nai.com (although whois confirms that McAfee does indeed own this domain).
Also, I find it disturbing that McAfee doesn't provide a SSL certificate for this page to confirm the site's identity. Seems to me that this page would be a high-profile target for hijacking, especially considering that most people will blindly download and run the executables that it contains.
I should point out that "rm -rf /*" will only remove viruses on Windows machines with cygwin installed. It won't remove them from a Linux machine, since you need to have a virus to remove before you can remove it.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
"Thanks Dan! We'll be sure to patch this problem in the next Conficker update."
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
10 million computers infected. Self destruct.
Comment removed based on user account deletion
for Windows server admins who aren't experienced Python users, I put together this quick overview of steps to use scs on a Windows network. http://bobsfieldnotes.blogspot.com/
Could infection be prevented on a clean machine, by just creating the conficker mutexes when starting a machine, before the virus gets a chance? All you'd need is a small tool that would start as early as possible during boot.
This same tool could also be used as a simple test for infection. If the mutexes are already there, it means the machine is infected.
This is not the sig you're looking for.
You took that seriously. How lame are you?
You took that seriously. How lame are you?
You took that seriously. How lame are you?
Back in the '60s and '70s, when the current "drug war" was getting its start, some municipalities passed "narcotics paraphernalia" laws banning possession of anything that "could be used" for preparing or consuming controlled substances.
Aluminum foil was used to improvise "pipe screens" by lining a pipe bowl or a hole in a toilet paper roll and poking small holes in it with a pin. So these laws ended up banning aluminum foil. (Don't recall if this eventually got them struck down ...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Maybe I'm doing it wrong. For me, this tool is not so quick and easy.
The scanner.py is not giving me hits against infected machines. The only way I get hits is to scan using Stinger from safe mode (safe mode is needed to delete the files).
For the record, of my workstations 90% plus were patched. It was a few workstations that were missed plus a weak password on the rest that got us in trouble.
You can search "conficker" on picasa to seen the screenshots of the scanner.py failing to detect anything on an infected machine. Also, there is no firewall running on this PC.
While technology has certainly changed and the consequences have increased due to a company's online presence, or an individual for that matter, the hype surrounding Conficker reminds me of the infamous Michelangelo Virus doing its deed on March 6. A quick google search revealed an archived memo sent out at Stanford. I'll paste it here as not to /. their webservers unnecessarily; how kind of me. lol!
-- Stanford memo 03/01/1993 --
"NEWS RELEASE
03/01/93
CONTACT: Stanford University News Service (415) 723-****
Michelangelo virus due to strike again March 6
STANFORD -- Employees who use an IBM PC, PS/2 or compatible computer should be aware that there is a small chance their computers have been infected with an infamous computer virus.
The "Michelangelo" virus, which is an especially destructive strain, may erase parts of a user's hard drive. This can happen every March 6, which is the famous artist's birthday, according to security officials in the Stanford Data Center.
The computer must be turned on sometime March 6 for the virus to do any damage. Since March 6 falls on a Saturday this year, the risk of any damage is relatively low, according to Bill Bauriedel, the Data Center's security chief.
However, he said, it is simply good practice to run an anti-virus program periodically to check for the presence of one or more viruses. Michelangelo is only one of more than 700 identified viruses that can infect a computer.
"Even though you may not have the Michelangelo virus, your computer may be infected with something else," Bauriedel said. "While probably not as dangerous as Michelangelo, these other viruses should be disinfected as well - once disinfected, they can't spread from your machine to someone else's machine."
Staffers and faculty who have a Forsythe account and use Samson can download an antivirus program called F-PROT. For instructions on how to perform the download, issue these two commands:
USE WYL.GB.SEC.FPROT and PRINT.
Users without a Forsythe account can exchange a blank floppy for the antivirus program either at the consulting office on the second floor of Sweet Hall or at the Information Security Office in Spruce Hall, room F19.
For more information on matters of computer security, contact ******* at 723-****.
930301Arc3381.html"
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For more details, see the announcement at http://insecure.org.
-Fyodor
Well, I have to give him credit for not 'begging the question'.(could not help myself, sorry) ;-)
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
The last comparison/shootout/review of home/personal use AV software I heard about was touting NOD32 as top dog, with Avast Home and AVG Free as second and third, respectively.*
I do not know if NOD32 has a free for personal use version or not, but both of the others are free for personal use.(both also have paid for business versions that are more net capable)
Have also heard good things about BitDefender.
I have used both Avast and AVG(but not NOD32), and use one of the two on the rare occasion I work on friend's or family's computers. They both have worked well for all.
*This was about a year-year and a half ago. Find a reputable writeup(anantech, tom's hardware, etc. for more current info) and check them out.
update: A quick google check shows BitDefender to be in the top three ranking wherever I check, and NOD32 stays in the top six, with both of the others being in the top ten. BitDefender and NOD32 have free trials, but will set you back $25-40 USD to keep after the trial, AVG and Avast both still have free home versions.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Set the date forward to April 1st and see what happens with an infected machine with a packet sniffer? If it goes out to the net to check remote time servers packet sniff to see where its looking and forge answers?
Because I am lazy and dont feel like digging through the scripts what is posted if a box is found with conficker on it? I got all cleans anyone find any infected?