Taming Conficker, the Easy Way

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Wow!

[MrNaz]

Wow. So this:

IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]

Which would happen once for every node on the network, would become this:

root@admin:~$ nmap 192.168.0.* -confickercheck

Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.

Re:Wow!

[fuzzyfuzzyfungus]

If only the users who leave their printers unplugged habitually used linux...

To be fair, you can do something similar in Windows; but it sure isn't the soul of wit.

Re:Wow!

[morgan_greywolf]

If only all malware was this easy to detect. Unfortunately, despite the proliferation of automatic virus scanners, "firewalls," and various other techniques, infections still occur.

The main problem is the current monoculture in desktop operating systems. No matter what you think of Microsoft, no matter what you think of Windows, you have to admit that having 90% marketshare of a single OS on desktop operating systems is the biggest part of the problem. The second biggest part of the problem was not designing network security into the OS from day one, but instead attempting to bolt it on on an OS that has always been designed to be a highly integrated one-size-fits-all solution.

Re:Wow!

[cbiltcliffe]

If you have even half-assed antivirus in a corporate environment, you'll be able to log into the admin console, and see what machines are infected.
You can also see when a machine was last in contact with the controller, so if a virus kills the A/V on a machine, it will stop contacting. Anything that's been over a week since contact automatically should be physically investigated.

Of course, you could be using Norton Internet Security 2009 on your corporate machines, which doesn't have this capability. But if you are, you're an incompetent moron, and shouldn't be trusted with a Gameboy, forget a multi-computer corporate network.

Re:Wow!

Noone said that network security isn't "bolted on" in UNIX.

But there are other machines which are definately invulnerable to the attack methods used by worms like conficker (typically modifying program flow by injecting executable code and altering address pointers, so the injected code will be executed).

For example, IBM's AS/400 / iSeries 400 / eServer i5 (/ or whatever the name is today) has built-in (hardware-supported) pointer protection and separate address-stack and data-stack.
Actually, that is the reason why the CPUs are sometimes called "65-bit CPUs" instead of "64-bit CPUs" - the 65th bit is a tag flag (in memory, it's stored in the ECC area).

The details can be read in the book "The Inside Story of the IBM iSeries" by Frank G. Soltis.

What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.

Re:Wow!

[Pvt_Ryan]

I use Antivirus360 on my network, my last scanner was shit, the Antivirus360 free trial found loads of infections my other scanner missed..

Re:Wow!

[gzipped_tar]

Assuming you are using BASH, enabling the shopt "dotglob" may be helpful if you want the * glob to expand to dot-files.

Re:i find it so hard

[new+death+barbie]

There is a virus infecting a huge number of systems and no one knows what it is destined to do.

Seems like a pretty GOOD reason to genuinely care, if you ask me.

Re:i find it so hard

Hi, I'm the author of Conficker and the payload is to get a first post on slashdot. Get ready assholes.

Re:i find it so hard

[fuzzyfuzzyfungus]

While I agree that caring about the poor widdle windows users is a boring hobby, there are reasons for it.

First, most of the "what will conficker do?" possibilities have the distinct potential to be unpleasant for everybody. We are almost definitely looking at extra spam, or worse.

Second, and ultimately more important, is the fact that Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions. That is Bad.

Sure, actually caring about the newbs, as they do the same stupid things over and over, gets really old really fast; but, when they visit the internet, I want them to have a good time because we are well past the point where they will just leave if they don't like it. They'll vote for a bunch of police powers and be back. Nobody wants that.

Re:i find it so hard

[FTWinston]

My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.

Am i doing it wrong?

[arndawg]

"You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.

Re:Am i doing it wrong?

Use the mouse. It's quaint but it works. A Scottish accent may be helpful as well. ;)

Re:Am i doing it wrong?

[Yosho]

So how do you use a mouse with a Scottish accent?

Well, first, you've got to get it drunk...

Re:Am i doing it wrong?

[ThrowAwaySociety]

So how do you use a mouse with a Scottish accent? Curious minds are dying to know.

http://www.youtube.com/watch?v=wzRziK-kZtQ

Just drop your geek card in the slot by the door as you leave.

Re:i find it so hard

[Ralish]

to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.

A few things:

1. If you have 1 million+ infected hosts, and all the bandwidth that these hosts have access to, and can use these resources to do whatever you please, you pose a serious threat to many groups with a presence on the internet and an interest in its wellbeing. Do I really need to spell it out to you why it's important to care?

2. No, the problem in this case stems from people not patching their systems when security updates are made available. Microsoft made the patch available _LONG_ before Conficker was even a problem. Microsoft released the patch on 15th October 2008. What does this tell you? It means that effectively 99%+ of infected machines are infected because they weren't patched, either due to ignorance, sloth, or a combination of.

If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too. Fortunately, most of the OSS community knows that security patches are important and need to be applied, not ignored. Elements of the Windows world don't share this culture, and it needs to change, so that worms like Conficker aren't able to thrive.

Re:It just amazes me

[Computershack]

I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.

You mean like patching the flaw MONTHS before Conficker was released?

What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...

Oh wait...

Re:i find it so hard

[Ralish]

In fact, having double checked my information, the security patch that fixes the vulnerability that Conficker exploits was released prior to the creation and subsequent distribution of Conficker.

So, every single computer out there with a Conficker infection due to the exploit infection route could have been secured if patched. I would bet that would make for a gigantic reduction in the size of the Conficker botnet.

Re:i find it so hard

[k.a.f.]

There is a virus infecting a huge number of systems and no one knows what it is destined to do.

Seems like a pretty GOOD reason to genuinely care, if you ask me.

Not really... we can be reasonably sure that Conficker is designed to do what the previous five generations of worms did, only more effectively: provide nodes of a botnet for hire, so criminals can send spam, threaten DDOS attacks etc. It's annoying, but the internet lives on. Why would the purpose suddenly become radically different just because the implementation has been improved?

Re:i find it so hard

[morgan_greywolf]

Hi, I'm the author of Conficker and the payload is to get a first post on slashdot.

That's it? You wrote a worm to get a first post on Slashdot? Damn. How lame are you?

Potential problem

[Shrike82]

We figured this out on Friday, and got code put together for Monday.

And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.

So...

[ericrost]

So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....

Very crappy post, editors!

Re:So...

[Zocalo]

From Dan Kaminsky's site, immediately under the bit that looks like the Slashot story funnily enough, so I'm guessing it got dropped to save space on the Slashdot front page:

The technical details are not complicated -- Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version -- but I'll let Tillmann and Felix describe this in full in their "Know Your Enemy" paper, due out any day now with all sorts of interesting observations about this annoying piece of code. (We didn't think it made sense to hold up the scanner while finishing up a few final edits on the paper.)

Re:So...

[Effugas]

I actually worked with the researchers on this. (This is Dan.)

Re:So...

[iago-vL]

Hey guys,

I'm the author of that script, and that's exactly right. I posted a full explanation on my blog.

Re:So...

[wiedzmin]

Be VERY careful running it on your network, this is from the NMAP smb-check-vulns.nse script description:

WARNING: These checks are dangerous, and are very likely to bring down a server. These should not be run in a production environment unless you (and, more importantly, the business) understand the risks!

As a system administrator, performing these kinds of checks is crucial, because a lot more damage can be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers, on the other hand, might not want to use this script -- crashing services is not generally a good way of sneaking through a network.

If you set the script parameter 'unsafe', then scripts will run that are almost (or totally) guaranteed to crash a vulnerable system; do NOT specify unsafe in a production environment! And that isn't to say that non-unsafe scripts will not crash a system, they're just less likely to.

MS08-067 -- Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow remote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash systems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a vulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems, 52 crashed.

But not in Germany or UK?

[AliasMarlowe]

Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck

But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
So if you use nmap to clean your network, you may be open to criminal charges.

or other way..

[orange47]

you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.

Window HOWTO

[Dynamoo]

1. Download and install Python 2.6.1: http://www.python.org/ftp/python/2.6.1/python-2.6.1.msi
2. Download Impacket from http://oss.coresecurity.com/repo/Impacket-stable.zip (or maybe http://pypi.zestsoftware.nl/impacket/ or some other mirror)
3. Download the scanner from http://iv.cs.uni-bonn.de/uploads/media/scs.zip
4. Unpack Impacket into a folder, then install Impacket from a command line with c:\python26\python setup.py install
5. Run the scanner with the command c:\python26\python scs.py [start_ip] [end_ip]

(Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.

Re:-1 Whoosh

[L4t3r4lu5]

*Bzzzzzzt!*

The comment system is temporarily disabled while we resolve this revolving door bug. Apologies for any inconvenience.

Re:i find it so hard

[L4t3r4lu5]

They turn it off because Windows Update either:

1. Popping up a bubble every 5 minutes telling you to restart your computer.
2. Popping up a windowevery 5 minutes telling you to restart your computer.
3. Restarting your computer automatically, without asking permission, and informing you afterwards.

When you've gone to make some coffee and you come back to the message "An important update required a restart of your computer." the first question you ask is "Where did my work go?" The second question is "How do I stop that happening again?"

Re:i find it so hard

[emocomputerjock]

All that will be left is a box in Madagascar with it's ports closed.

Re:It just amazes me

[scrib]

I tried that.

"You must be logged on as a member of the Administrators group to run the tool."

A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.

Re:i find it so hard

[Ralish]

You do realise that this is completely wrong?

Microsoft distributes security updates to _ALL_ editions of Windows that are currently maintained irrespective of the legality of the license. However, if you are not running a legal license, you can only receive updates through Automatic Updates, limited purely to security updates. Use of Windows/Microsoft Update and/or the downloading of non-security updates requires a valid license. The reasoning for this is to prevent exactly what you accuse Microsoft of not doing, reducing the risk of large viral/worm outbreaks and the impact of such outbreaks on Windows users, particularly those with legal licenses. Even if you completely fail WGA validation, you still will receive security updates through Automatic Updates.

Ideally, I'd prefer MS to permit security updates through the WU/MU frontend even if an invalid license is detected. I'm not sure what error message is displayed and if it prompts for Automatic Updates to be enabled or informs the user that they can still receive security updates through AU. However, the point remains that MS still permits a legal avenue of obtaining such updates, despite running an invalid license, at THEIR cost of distributing such updates.

There is no excuse for not being patched.

Nmap 4.85BETA5 just released

[fv]

I'm happy to report that we've just released Nmap 4.85BETA5 with Conficker detection so you can do that scan! The actual recommended command is:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

For more details, see the announcement at http://insecure.org.
-Fyodor