Slashdot Mirror
Taming Conficker, the Easy Way
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Wow. So this:
IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.
I hate printers.
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
It's supposed to be completely automatic, but actually you have to press this button.
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot. Get ready assholes.
While I agree that caring about the poor widdle windows users is a boring hobby, there are reasons for it.
First, most of the "what will conficker do?" possibilities have the distinct potential to be unpleasant for everybody. We are almost definitely looking at extra spam, or worse.
Second, and ultimately more important, is the fact that Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions. That is Bad.
Sure, actually caring about the newbs, as they do the same stupid things over and over, gets really old really fast; but, when they visit the internet, I want them to have a good time because we are well past the point where they will just leave if they don't like it. They'll vote for a bunch of police powers and be back. Nobody wants that.
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
"You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.
to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.
A few things:
1. If you have 1 million+ infected hosts, and all the bandwidth that these hosts have access to, and can use these resources to do whatever you please, you pose a serious threat to many groups with a presence on the internet and an interest in its wellbeing. Do I really need to spell it out to you why it's important to care?
2. No, the problem in this case stems from people not patching their systems when security updates are made available. Microsoft made the patch available _LONG_ before Conficker was even a problem. Microsoft released the patch on 15th October 2008. What does this tell you? It means that effectively 99%+ of infected machines are infected because they weren't patched, either due to ignorance, sloth, or a combination of.
If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too. Fortunately, most of the OSS community knows that security patches are important and need to be applied, not ignored. Elements of the Windows world don't share this culture, and it needs to change, so that worms like Conficker aren't able to thrive.
I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.
You mean like patching the flaw MONTHS before Conficker was released?
What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...
Oh wait...
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
In fact, having double checked my information, the security patch that fixes the vulnerability that Conficker exploits was released prior to the creation and subsequent distribution of Conficker.
So, every single computer out there with a Conficker infection due to the exploit infection route could have been secured if patched. I would bet that would make for a gigantic reduction in the size of the Conficker botnet.
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
Not really... we can be reasonably sure that Conficker is designed to do what the previous five generations of worms did, only more effectively: provide nodes of a botnet for hire, so criminals can send spam, threaten DDOS attacks etc. It's annoying, but the internet lives on. Why would the purpose suddenly become radically different just because the implementation has been improved?
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot.
That's it? You wrote a worm to get a first post on Slashdot? Damn. How lame are you?
My blog
We figured this out on Friday, and got code put together for Monday.
And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.
You can advertise in this sig from as little as £99.99 a month!
So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....
Very crappy post, editors!
My Babylon
Haven't you ever played Uplink? It is in the nature of virus creators to attempt to destroy the Internet.
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
So if you use nmap to clean your network, you may be open to criminal charges.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Because it was created for E V I L ?
I think it's going to cause all computers to turn into a small thermonuclear bomb (that's what computers are made of, plutonium and Selenium!) and destroy the planet in the name of some stupid reason.
WE ARE ALL GOING TO DIE!!!! PLEASE START PANICKING NOW!
I'm already looting the vending machines in the lunch room and built a bunker near them with boxes of last years TPS reports, the recycling buckets make good helmets.
And they all said I over-react. Who's the fool now!
Do not look at laser with remaining good eye.
McAfee Stinger for Conficker located at: http://vil.nai.com/vil/averttools.aspx
you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.
(Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.
Never email donotemail@WeAreSpammers.com
There is no 'grand activation date'. April 1st *or later* when it updates itself.. it's more likely to upgrade to conficker D than do anything else.
It's just not in the authors interest to do any damage - whilst people don't know they are infected they can participate in the botnet. If the virus makes itself obvious then all that potential revenue is destroyed.
The f-secure blog puts it best: http://www.f-secure.com/weblog/archives/00001636.html
*Bzzzzzzt!*
The comment system is temporarily disabled while we resolve this revolving door bug. Apologies for any inconvenience.
Finally had enough. Come see us over at https://soylentnews.org/
I'd say as a rough guess, that 75% of viruses/trojans/malware nowadays turn off Windows Update as part of the infection process.
Somebody gets one of these fake Facebook spams, goes to the site in question to see Amanda Whatserface doing her striptease on stage, downloads Adobe_Player11.exe, so they can see the video, and bam. They're infected.
And before you bitch about them not having up to date antivirus.....I sent this file to virustotal.com a couple of days after I first got one of these spams, and it was detected as a known virus by a grand total of zero scanners.
Two flagged it as a suspicious file, and the rest (37 or so) let it sail on through.
Somebody gets hit with one of these things, and they'll have no A/V, no Auto Updates, and probably no firewall. They won't know it, because they'll also have no Security Center Service.
Or there's the possibility that they got infected, took their machine to a big-box moron to get it fixed, and the idiot in question cleaned the virus, but didn't enable all the disabled services. So again, no firewall, no Auto Updates.
It's not all because they're turned off intentionally.
"City hall" in German is "Rathaus" Kinda explains a few things......
When you've gone to make some coffee and you come back to the message "An important update required a restart of your computer." the first question you ask is "Where did my work go?" The second question is "How do I stop that happening again?"
Finally had enough. Come see us over at https://soylentnews.org/
All that will be left is a box in Madagascar with it's ports closed.
ipc0nfig: ...why not just move the computer clock forward to April 1st, and see what Conficker does.
cdrudge:
For the same reason that a bomb technician doesn't reset the timer to zero just to see what the bomb does. Sure it may be a dud and do nothing, or it may be huge and blow up in their face.
I think ipc0nfig has a fair point - you could run an date-adjusted infected machine in a VM, isolated inside a virtual network, and monitor any disk/network activity.
Of course, you might not know what'll really happen unless you let it phone home, and even then you might not see what will happen on April 1st; but it might give more clues about which external addresses to block.
Oh, how convenient: a theory about God that doesn't involve looking through a telescope.
seriously ? it is named "Malicious Software Removal Tool" ? so we could call it... "ms removal tool".
that's the best name of software coming from microsoft in a long time.
Rich
"You must be logged on as a member of the Administrators group to run the tool."
A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.
Help! Help! I'm being repressed!
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)
You do realise that this is completely wrong?
Microsoft distributes security updates to _ALL_ editions of Windows that are currently maintained irrespective of the legality of the license. However, if you are not running a legal license, you can only receive updates through Automatic Updates, limited purely to security updates. Use of Windows/Microsoft Update and/or the downloading of non-security updates requires a valid license. The reasoning for this is to prevent exactly what you accuse Microsoft of not doing, reducing the risk of large viral/worm outbreaks and the impact of such outbreaks on Windows users, particularly those with legal licenses. Even if you completely fail WGA validation, you still will receive security updates through Automatic Updates.
Ideally, I'd prefer MS to permit security updates through the WU/MU frontend even if an invalid license is detected. I'm not sure what error message is displayed and if it prompts for Automatic Updates to be enabled or informs the user that they can still receive security updates through AU. However, the point remains that MS still permits a legal avenue of obtaining such updates, despite running an invalid license, at THEIR cost of distributing such updates.
There is no excuse for not being patched.
This is much like the "linux uses a command line, so it's better. I don't care if you don't want to learn arcane syntax".
Windows is hard to configure correctly. If you don't know the magic registry line, or which utility buried in the system folders to use, there's no way in hell you can make the fine-grained adjustment not to automatically restart. On the other hand, turning off system updates entirely is easy. I'd count the clicks if I had a windows box available, but I guarantee it's not that many.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For more details, see the announcement at http://insecure.org.
-Fyodor