Slashdot Mirror
Using Conficker's Tricks To Root Out Infections
iago-vL writes "Despite having their domain blacklisted by Conficker, the folks at Nmap have released version 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer-to-peer network! By sending encrypted messages to a suspect host, the tools will get Conficker.C and higher to reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last method that we discussed. More information from the author is available, as well as a download for the new release (or, if you're a Conficker refugee, try a mirror instead)."
http://interviews.slashdot.org/comments.pl?sid=63874&cid=5938151
The nmap based tools obviously aren't the right tool for the "clueless parents/noobs/whatever" case. If you have a large number of machines to check and at least one competent person, use nmap. If you need to test a noob's box over the phone, just have them open the Conficker eyechart and tell you whether the images load or not.
Ok so it doesn't apply to the current round of updates, but I used to admin a server that couldn't be upgraded to 2000 SP4 - trying to do so would cause irreparable damage (Full restore from backup, every single time). It's one thing to abuse an admin for not applying a patch, it's another to be that admin and making sure that adding it will work ok. The only sane security policy in a situation like that is protecting the internal network, but you can't protect a file server from an SMB attack if you need it to be a file server - and if you can't patch it for whatever reason......
If you can't patch it for some reason you fix the reason the patch fails. If that involves a server upgrade to 2003, then so be it. Hell, you mentioned it's an SMB attack and you can't protect against that if you're a file server. While true in a sense, you *can* protect against it by making sure all the non-file servers on the network aren't vulnerable. Make sure you don't use that machine for anything other than the applications you need (certainly don't use it as a terminal server as well). Have a security policy in place that makes it so you can't add vulnerable computers to the network, have a firewall between the company and the internet, etc.
This is something people don't understand until it happens to them, but security is serious business, if you have a server that has a must have application on it and you don't keep that thing #1: Backed up, #2: Up to date with security, you are just waiting for either data loss or time loss on the server.
If you can't afford to replace a server in that condition, then you likely can't afford the IT professional you hired to run it.
Hardware is inexpensive, especially considering you're running on Windows 2000 pre-SP4, you can get a low end server as a replacement and it'll be a very good upgrade. That's not even considering if you can replace with something other than windows or not!
Do you Gentoo!?
When I get phone calls from people asking me to fix their Conficker infected PCs, my first comment to them isn't "Told you so! Seems like you should have spent a small amount of time patching your machine". Not only would that be bad business, but most people in that situation don't understand the fundamentals at work here. If they did, I wouldn't be getting calls in the first place. That's where I come in, fix/configure their PC appropriately, and educate them as best I can. Telling me I should have patched machines I have no control over after the fact isn't very helpful...
nmap can scan an entire network though, this is good news, especially if your pen testing and you find the network is full to the brim with bots.
IranAir Flight 655 never forget!