Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Conficker's Tricks To Root Out Infections

Posted by Soulskill on from the fighting-fire-with-thermometers dept.

iago-vL writes "Despite having their domain blacklisted by Conficker, the folks at Nmap have released version 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer-to-peer network! By sending encrypted messages to a suspect host, the tools will get Conficker.C and higher to reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last method that we discussed. More information from the author is available, as well as a download for the new release (or, if you're a Conficker refugee, try a mirror instead)."

12 of 117 comments (clear)

  1. Clever but... by Shrike82 · · Score: 4, Insightful
    Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it. We already established that the worm exploits a vulnerability that was patched before its realease, and we've speculated that therefore it's mainly affecting users who are clueless about security, and therefore unlikely to even realise they have a problem?

    From TFA:

    To scan you network quickly for Conficker infections before the next variant breaks this new techinque, we recommend this command: nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]

    Now forgive me but people like my parents (running Windows 98 until last year, now on XP) with no idea about security, no anti-virus scanner (despite my lectures over the phone) and no idea what the symptoms of a virus, worm or other malware, are not going to find this information, nor know what to do with it if they did.

    Computing professionals might have little trouble detecting and removing Conficker, or are safe in the knowledge that they were protected before its release, but we'll still have to deal with the consequences of a botnet comprised of infected computers belonging to people with little or no technical computer knowledge.

    --
    You can advertise in this sig from as little as £99.99 a month!
    1. Re:Clever but... by flyingfsck · · Score: 3, Insightful

      Clearly, your parents don't have a problem. They have a child that can fix things for them. On the other hand, you have a problem, so you should install a reverse VNC client on their machine so they can connect to you for support.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:Clever but... by ukyoCE · · Score: 2, Insightful

      I don't think the story is targeted at parents. It's targeted at sysadmins trying to clean Conficker off their network. Your parents won't run it, but perhaps Comcast will run it and get your parents fixed up. Or your parents' sysadmin at work will run it and fix their work computer.

      It's kind of silly to expect TFA is targeted at "your parents" when it's using nmap to scan a network...

  2. Re:Am I the only one... by Shrike82 · · Score: 3, Insightful

    You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.

    Then you'd procede to nad-kicking.

    --
    You can advertise in this sig from as little as £99.99 a month!
  3. Re:Am I the only one... by Anonymous Coward · · Score: 1, Insightful

    Is this where the saying "Good from far, far from good" comes into play?

  4. Re:This sounds like a temporary measure... by radtea · · Score: 4, Insightful

    Doesn't this sound like a temporary measure

    You say that like you think there's an alternative. There isn't.

    The viral ecology is an real ecology, where like all ecologies nothing is stable and everything is temporary.

    What this demonstrates, though, is that there are inherent limits to viral capabilities, because with added capability there is added vulnerability. This is true for OS's but it is equally true for viruses (yes, that is a correct English plural, ok?)

    So as virus programs get more complex and capable, they will generally also become more open to detection via exploitation of exactly those additional capabilities.

    --
    Blasphemy is a human right. Blasphemophobia kills.
  5. Re:Am I the only one... by DomNF15 · · Score: 3, Insightful

    I think I'll join the kick in nads faction - what would have been really cool is if the Conficker author had used his talent for something constructive, not destructive. I'm sure any IT professional who has spent hours dealing with the fallout of Conficker will agree, as I personally spent a good amount of time rebuilding machines that got infected.

  6. Re:Am I the only one... by Binestar · · Score: 4, Insightful

    Seems like you should have spent a small amount of time patching the machines when the security updates were released instead of spending a good amount of time rebuilding them.

    --
    Do you Gentoo!?
  7. Re:Am I the only one... by Anonymous Coward · · Score: 1, Insightful

    Yeah because "IT Professional" means he has (and has always had) full control over all the machines he touches. He couldn't, i don't know, fix customers broken computers as (part of) his job.

  8. Re:Am I the only one... by Shakrai · · Score: 4, Insightful

    You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.

    Then you'd procede to nad-kicking.

    The only person I'd want to nad-kick in that scenario would be the moron IT person at my bank who didn't have his system configured to lock my account after X number of failed logon attempts.....

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  9. Re:Am I the only one... by DittoBox · · Score: 2, Insightful

    Some security updates can break poorly written "Enterprise" software. The kind that PHBs love.

    If they hadn't been fully tested with all the "Enterprise" software then he'd be utterly screwed if there were any problems.

    --
    Good. Cheap. Fast. Pick Two.
  10. Re:Am I the only one... by kirillian · · Score: 1, Insightful

    I'm glad, Binestar, that you have a boss that gives you a large enough budget to do so...or that you make your own budget. It's nice to be in a comfortable situation like that. However, if you hadn't noticed, in today's current economy, the CEO's buy personal jets with the IT department's security budget and the lawyers dictate how everyone spends their money. Being an IT Professional means trying to do an impossible job with no manpower and no budget in most companies...personally...my boss wastes thousands upon thousands on his own personal pet projects, but is loathe to spend a few thousand to upgrade VITAL servers that are overworked. Security is important. However, sometimes, you have to work for/with idiots. You also have the infamous managers/bosses and their favorite people who have to have authorization to do EVERYTHING. So, you then have to deal with internal company security, hiding the fact that there is a super-user level account so that the boss CAN'T have access (because he's stupid enough to play around and destroy things). IT Professionals have a lot of other things to deal with. Idealism rarely has a place in the professional world - despite the fact that we wish it could.