Using Conficker's Tricks To Root Out Infections

← Back to Stories (view on slashdot.org)

Using Conficker's Tricks To Root Out Infections

Posted by Soulskill on Wednesday April 22, 2009 @01:25AM from the fighting-fire-with-thermometers dept.

iago-vL writes "Despite having their domain blacklisted by Conficker, the folks at Nmap have released version 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer-to-peer network! By sending encrypted messages to a suspect host, the tools will get Conficker.C and higher to reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last method that we discussed. More information from the author is available, as well as a download for the new release (or, if you're a Conficker refugee, try a mirror instead)."

28 of 117 comments (clear)

Min score:

Reason:

Sort:

Am I the only one... by Bicx · 2009-04-22 01:31 · Score: 5, Interesting

that thinks Conficker is actually really cool? I mean, damage aside, it's pretty darn impressive.
1. Re:Am I the only one... by Rogerborg · 2009-04-22 01:34 · Score: 5, Funny
  
  Sharks are pretty cool too, right up to the point where they start chewing on your leg. I guess it takes distance to gain perspective.
  
  --
  If you were blocking sigs, you wouldn't have to read this.
2. Re:Am I the only one... by fuzzyfuzzyfungus · 2009-04-22 01:49 · Score: 5, Funny
  
  You have to have decent balance; but there is nothing stopping you from doing both. In fact, a friendly overture often puts the target at ease, making them easier to hit.
3. Re:Am I the only one... by Shrike82 · 2009-04-22 01:50 · Score: 3, Insightful
  
  You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.
  
  Then you'd procede to nad-kicking.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
4. Re:Am I the only one... by value_added · 2009-04-22 01:53 · Score: 4, Funny
  
  Sharks are pretty cool too, right up to the point where they start chewing on your leg.
  I'd wager that if you're a shark, the "chewing on your leg" part would still be cool.
5. Re:Am I the only one... by DomNF15 · 2009-04-22 02:04 · Score: 3, Insightful
  
  I think I'll join the kick in nads faction - what would have been really cool is if the Conficker author had used his talent for something constructive, not destructive. I'm sure any IT professional who has spent hours dealing with the fallout of Conficker will agree, as I personally spent a good amount of time rebuilding machines that got infected.
6. Re:Am I the only one... by Binestar · 2009-04-22 02:05 · Score: 4, Insightful
  
  Seems like you should have spent a small amount of time patching the machines when the security updates were released instead of spending a good amount of time rebuilding them.
  
  --
  Do you Gentoo!?
7. Re:Am I the only one... by Shakrai · 2009-04-22 02:13 · Score: 4, Insightful
  
  You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.
  Then you'd procede to nad-kicking.
  The only person I'd want to nad-kick in that scenario would be the moron IT person at my bank who didn't have his system configured to lock my account after X number of failed logon attempts.....
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
8. Re:Am I the only one... by myxiplx · 2009-04-22 02:15 · Score: 2, Interesting
  
  Yup, damned impressive worm, if you read some of the detailed writeups it really highlights just how professional these things are now.
  It's doing us the world of good here - we've got pretty good security already, and getting budget for the next set of steps I want to take should be a whole lot easier now. All I'm having to do is point out just how widely Conficker spread, show some of the big names it hit, and then point out just how long it took them to clean their networks after the fact.
  All of a sudden a few pounds spent protecting the network look like a good idea :)
9. Re:Am I the only one... by maxume · 2009-04-22 02:20 · Score: 2
  
  If my bank failed to prevent a brute force attack, I would find their head of security and kick him in the nads.
  Somewhere around 25 failed attempts (but probably far less than that), security really becomes more of a concern than convenience.
  
  --
  Nerd rage is the funniest rage.
10. Re:Am I the only one... by Mister+Whirly · 2009-04-22 02:48 · Score: 4, Funny
  
  "Probably would have been in the best interest of the shark to stick to eating seals "
  
  Undoubtedly. Everyone knows seals are terrible shots with rifles.
  
  "Guess it would have been a pretty lousy movie if all the shark did was eat seals though......"
  
  I would watch that movie over anything starring Kevin Costner or Ben Affleck any day!!
  
  --
  "But this one goes to 11!"
11. Re:Am I the only one... by Binestar · 2009-04-22 02:53 · Score: 4, Informative
  
  Ok so it doesn't apply to the current round of updates, but I used to admin a server that couldn't be upgraded to 2000 SP4 - trying to do so would cause irreparable damage (Full restore from backup, every single time). It's one thing to abuse an admin for not applying a patch, it's another to be that admin and making sure that adding it will work ok. The only sane security policy in a situation like that is protecting the internal network, but you can't protect a file server from an SMB attack if you need it to be a file server - and if you can't patch it for whatever reason......
  If you can't patch it for some reason you fix the reason the patch fails. If that involves a server upgrade to 2003, then so be it. Hell, you mentioned it's an SMB attack and you can't protect against that if you're a file server. While true in a sense, you *can* protect against it by making sure all the non-file servers on the network aren't vulnerable. Make sure you don't use that machine for anything other than the applications you need (certainly don't use it as a terminal server as well). Have a security policy in place that makes it so you can't add vulnerable computers to the network, have a firewall between the company and the internet, etc.
  
  This is something people don't understand until it happens to them, but security is serious business, if you have a server that has a must have application on it and you don't keep that thing #1: Backed up, #2: Up to date with security, you are just waiting for either data loss or time loss on the server.
  
  If you can't afford to replace a server in that condition, then you likely can't afford the IT professional you hired to run it.
  
  Hardware is inexpensive, especially considering you're running on Windows 2000 pre-SP4, you can get a low end server as a replacement and it'll be a very good upgrade. That's not even considering if you can replace with something other than windows or not!
  
  --
  Do you Gentoo!?
12. Re:Am I the only one... by Shakrai · 2009-04-22 02:56 · Score: 4, Funny
  
  Everyone knows seals are terrible shots with rifles.
  Yeah but they are pretty deadly with handguns ;)
  
  I would watch that movie over anything starring Kevin Costner or Ben Affleck any day!!
  What if we could feed them to sharks?
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
13. Re:Am I the only one... by DittoBox · 2009-04-22 04:07 · Score: 2, Insightful
  
  Some security updates can break poorly written "Enterprise" software. The kind that PHBs love.
  If they hadn't been fully tested with all the "Enterprise" software then he'd be utterly screwed if there were any problems.
  
  --
  Good. Cheap. Fast. Pick Two.
14. Re:Am I the only one... by DomNF15 · 2009-04-22 04:15 · Score: 2, Informative
  
  When I get phone calls from people asking me to fix their Conficker infected PCs, my first comment to them isn't "Told you so! Seems like you should have spent a small amount of time patching your machine". Not only would that be bad business, but most people in that situation don't understand the fundamentals at work here. If they did, I wouldn't be getting calls in the first place. That's where I come in, fix/configure their PC appropriately, and educate them as best I can. Telling me I should have patched machines I have no control over after the fact isn't very helpful...
15. Re:Am I the only one... by PopeRatzo · 2009-04-22 07:59 · Score: 2, Funny
  
  Yeah but they are pretty deadly with handguns ;)
  
  Sure, haven't you ever heard of "conseal-carry"?
  
  --
  You are welcome on my lawn.
Protocol by s1lverl0rd · 2009-04-22 01:36 · Score: 2, Interesting

What if Conficker D changes its 'protocol' and marks every computer that sends an 'old message' as either a host that needs updating or a nmapping attacker/next victim?
Or... by Anonymous Coward · 2009-04-22 01:36 · Score: 2, Interesting

Easiest way to detect if you're infected: see if you can reach nmap.org
1. Re:Or... by RiotingPacifist · 2009-04-22 05:20 · Score: 2, Informative
  
  nmap can scan an entire network though, this is good news, especially if your pen testing and you find the network is full to the brim with bots.
  
  --
  IranAir Flight 655 never forget!
Clever but... by Shrike82 · 2009-04-22 01:38 · Score: 4, Insightful

Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it. We already established that the worm exploits a vulnerability that was patched before its realease, and we've speculated that therefore it's mainly affecting users who are clueless about security, and therefore unlikely to even realise they have a problem?

From TFA:

To scan you network quickly for Conficker infections before the next variant breaks this new techinque, we recommend this command: nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]
Now forgive me but people like my parents (running Windows 98 until last year, now on XP) with no idea about security, no anti-virus scanner (despite my lectures over the phone) and no idea what the symptoms of a virus, worm or other malware, are not going to find this information, nor know what to do with it if they did.

Computing professionals might have little trouble detecting and removing Conficker, or are safe in the knowledge that they were protected before its release, but we'll still have to deal with the consequences of a botnet comprised of infected computers belonging to people with little or no technical computer knowledge.

--
You can advertise in this sig from as little as £99.99 a month!
1. Re:Clever but... by flyingfsck · 2009-04-22 01:47 · Score: 3, Insightful
  
  Clearly, your parents don't have a problem. They have a child that can fix things for them. On the other hand, you have a problem, so you should install a reverse VNC client on their machine so they can connect to you for support.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
2. Re:Clever but... by fuzzyfuzzyfungus · 2009-04-22 02:00 · Score: 2, Informative
  
  The nmap based tools obviously aren't the right tool for the "clueless parents/noobs/whatever" case. If you have a large number of machines to check and at least one competent person, use nmap. If you need to test a noob's box over the phone, just have them open the Conficker eyechart and tell you whether the images load or not.
3. Re:Clever but... by ukyoCE · 2009-04-22 02:25 · Score: 2, Insightful
  
  I don't think the story is targeted at parents. It's targeted at sysadmins trying to clean Conficker off their network. Your parents won't run it, but perhaps Comcast will run it and get your parents fixed up. Or your parents' sysadmin at work will run it and fix their work computer.
  It's kind of silly to expect TFA is targeted at "your parents" when it's using nmap to scan a network...
4. Re:Clever but... by Shrike82 · 2009-04-22 02:54 · Score: 4, Funny
  
  There are two possibilities:
  
  1) I started writing a question, got distracted half way through and then finished the sentence as a statement
  2) I accidentally put a full stop instead of a question mark
  3) Conficker performed a man-in-the-middle attack and messed with my punctuation
  
  You can pick the answer you like best.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
Happy middle? by Anonymous Coward · 2009-04-22 01:51 · Score: 2, Funny

Shake his nads?
1. Re:Happy middle? by Trikki+Nikki! · 2009-04-22 02:38 · Score: 5, Funny
  
  I would just like to say that I read Slashdot at work, and in the future I would appreciate if you people could stop posting comments that cause me to giggle uncontrollably and thus urinate in my cubicle. It has become a great concern to my boss, as I am unable to explain the real reason behind my lack of bladder control. Thanks in advance.
  
  --
  i r in ur /.s girling up ur storiez
Re:This sounds like a temporary measure... by radtea · 2009-04-22 01:56 · Score: 4, Insightful

Doesn't this sound like a temporary measure
You say that like you think there's an alternative. There isn't.
The viral ecology is an real ecology, where like all ecologies nothing is stable and everything is temporary.
What this demonstrates, though, is that there are inherent limits to viral capabilities, because with added capability there is added vulnerability. This is true for OS's but it is equally true for viruses (yes, that is a correct English plural, ok?)
So as virus programs get more complex and capable, they will generally also become more open to detection via exploitation of exactly those additional capabilities.

--
Blasphemy is a human right. Blasphemophobia kills.
Nmap? by xtracto · 2009-04-22 04:30 · Score: 2, Interesting

Isn't the guy who created nmap active on slashdot? (fyodor or something like that?)

--
Ubuntu is an African word meaning 'I can't configure Debian'