Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taming Conficker, the Easy Way

Posted by kdawson on from the scanner-lightly dept.

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

19 of 288 comments (clear)

  1. Wow! by MrNaz · · Score: 5, Insightful

    Wow. So this:

    IT tech: Do you know if your workstation has a virus?
    User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]

    Which would happen once for every node on the network, would become this:

    root@admin:~$ nmap 192.168.0.* -confickercheck

    Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.

    --
    I hate printers.
    1. Re:Wow! by fuzzyfuzzyfungus · · Score: 5, Informative

      If only the users who leave their printers unplugged habitually used linux...

      To be fair, you can do something similar in Windows; but it sure isn't the soul of wit.

    2. Re:Wow! by Pvt_Ryan · · Score: 5, Funny

      I use Antivirus360 on my network, my last scanner was shit, the Antivirus360 free trial found loads of infections my other scanner missed..

  2. Re:i find it so hard by new+death+barbie · · Score: 5, Insightful

    There is a virus infecting a huge number of systems and no one knows what it is destined to do.

    Seems like a pretty GOOD reason to genuinely care, if you ask me.

    --

    It's supposed to be completely automatic, but actually you have to press this button.

  3. Re:i find it so hard by Anonymous Coward · · Score: 5, Funny

    Hi, I'm the author of Conficker and the payload is to get a first post on slashdot. Get ready assholes.

  4. Re:i find it so hard by fuzzyfuzzyfungus · · Score: 5, Insightful

    While I agree that caring about the poor widdle windows users is a boring hobby, there are reasons for it.

    First, most of the "what will conficker do?" possibilities have the distinct potential to be unpleasant for everybody. We are almost definitely looking at extra spam, or worse.

    Second, and ultimately more important, is the fact that Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions. That is Bad.

    Sure, actually caring about the newbs, as they do the same stupid things over and over, gets really old really fast; but, when they visit the internet, I want them to have a good time because we are well past the point where they will just leave if they don't like it. They'll vote for a bunch of police powers and be back. Nobody wants that.

  5. Am i doing it wrong? by arndawg · · Score: 5, Funny

    "You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.

    1. Re:Am i doing it wrong? by Yosho · · Score: 5, Funny

      So how do you use a mouse with a Scottish accent?

      Well, first, you've got to get it drunk...

      --
      Karma: Terrifying (mostly affected by atrocities you've committed)
  6. Re:i find it so hard by Ralish · · Score: 5, Insightful

    to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.

    A few things:

    1. If you have 1 million+ infected hosts, and all the bandwidth that these hosts have access to, and can use these resources to do whatever you please, you pose a serious threat to many groups with a presence on the internet and an interest in its wellbeing. Do I really need to spell it out to you why it's important to care?

    2. No, the problem in this case stems from people not patching their systems when security updates are made available. Microsoft made the patch available _LONG_ before Conficker was even a problem. Microsoft released the patch on 15th October 2008. What does this tell you? It means that effectively 99%+ of infected machines are infected because they weren't patched, either due to ignorance, sloth, or a combination of.

    If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too. Fortunately, most of the OSS community knows that security patches are important and need to be applied, not ignored. Elements of the Windows world don't share this culture, and it needs to change, so that worms like Conficker aren't able to thrive.

  7. Re:It just amazes me by Computershack · · Score: 5, Informative

    I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.

    You mean like patching the flaw MONTHS before Conficker was released?

    What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...

    Oh wait...

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
  8. Re:i find it so hard by k.a.f. · · Score: 5, Insightful

    There is a virus infecting a huge number of systems and no one knows what it is destined to do.

    Seems like a pretty GOOD reason to genuinely care, if you ask me.

    Not really... we can be reasonably sure that Conficker is designed to do what the previous five generations of worms did, only more effectively: provide nodes of a botnet for hire, so criminals can send spam, threaten DDOS attacks etc. It's annoying, but the internet lives on. Why would the purpose suddenly become radically different just because the implementation has been improved?

  9. Potential problem by Shrike82 · · Score: 5, Funny

    We figured this out on Friday, and got code put together for Monday.

    And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.

    --
    You can advertise in this sig from as little as £99.99 a month!
  10. So... by ericrost · · Score: 5, Insightful

    So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....

    Very crappy post, editors!

    --
    My Babylon
    1. Re:So... by Zocalo · · Score: 5, Insightful
      From Dan Kaminsky's site, immediately under the bit that looks like the Slashot story funnily enough, so I'm guessing it got dropped to save space on the Slashdot front page:

      The technical details are not complicated -- Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version -- but I'll let Tillmann and Felix describe this in full in their "Know Your Enemy" paper, due out any day now with all sorts of interesting observations about this annoying piece of code. (We didn't think it made sense to hold up the scanner while finishing up a few final edits on the paper.)

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:So... by Effugas · · Score: 5, Interesting

      I actually worked with the researchers on this. (This is Dan.)

  11. or other way.. by orange47 · · Score: 5, Interesting

    you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.

  12. Window HOWTO by Dynamoo · · Score: 5, Informative
    1. Download and install Python 2.6.1: http://www.python.org/ftp/python/2.6.1/python-2.6.1.msi
    2. Download Impacket from http://oss.coresecurity.com/repo/Impacket-stable.zip (or maybe http://pypi.zestsoftware.nl/impacket/ or some other mirror)
    3. Download the scanner from http://iv.cs.uni-bonn.de/uploads/media/scs.zip
    4. Unpack Impacket into a folder, then install Impacket from a command line with c:\python26\python setup.py install
    5. Run the scanner with the command c:\python26\python scs.py [start_ip] [end_ip]

    (Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.

    --
    Never email donotemail@WeAreSpammers.com
  13. Re:i find it so hard by emocomputerjock · · Score: 5, Funny

    All that will be left is a box in Madagascar with it's ports closed.

  14. Re:It just amazes me by scrib · · Score: 5, Insightful
    I tried that.

    "You must be logged on as a member of the Administrators group to run the tool."

    A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.

    --
    Help! Help! I'm being repressed!