Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Conficker's Tricks To Root Out Infections

Posted by Soulskill on from the fighting-fire-with-thermometers dept.

iago-vL writes "Despite having their domain blacklisted by Conficker, the folks at Nmap have released version 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer-to-peer network! By sending encrypted messages to a suspect host, the tools will get Conficker.C and higher to reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last method that we discussed. More information from the author is available, as well as a download for the new release (or, if you're a Conficker refugee, try a mirror instead)."

16 of 117 comments (clear)

  1. Am I the only one... by Bicx · · Score: 5, Interesting

    that thinks Conficker is actually really cool? I mean, damage aside, it's pretty darn impressive.

    1. Re:Am I the only one... by Rogerborg · · Score: 5, Funny

      Sharks are pretty cool too, right up to the point where they start chewing on your leg. I guess it takes distance to gain perspective.

      --
      If you were blocking sigs, you wouldn't have to read this.
    2. Re:Am I the only one... by fuzzyfuzzyfungus · · Score: 5, Funny

      You have to have decent balance; but there is nothing stopping you from doing both. In fact, a friendly overture often puts the target at ease, making them easier to hit.

    3. Re:Am I the only one... by Shrike82 · · Score: 3, Insightful

      You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.

      Then you'd procede to nad-kicking.

      --
      You can advertise in this sig from as little as £99.99 a month!
    4. Re:Am I the only one... by value_added · · Score: 4, Funny

      Sharks are pretty cool too, right up to the point where they start chewing on your leg.

      I'd wager that if you're a shark, the "chewing on your leg" part would still be cool.

    5. Re:Am I the only one... by DomNF15 · · Score: 3, Insightful

      I think I'll join the kick in nads faction - what would have been really cool is if the Conficker author had used his talent for something constructive, not destructive. I'm sure any IT professional who has spent hours dealing with the fallout of Conficker will agree, as I personally spent a good amount of time rebuilding machines that got infected.

    6. Re:Am I the only one... by Binestar · · Score: 4, Insightful

      Seems like you should have spent a small amount of time patching the machines when the security updates were released instead of spending a good amount of time rebuilding them.

      --
      Do you Gentoo!?
    7. Re:Am I the only one... by Shakrai · · Score: 4, Insightful

      You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.

      Then you'd procede to nad-kicking.

      The only person I'd want to nad-kick in that scenario would be the moron IT person at my bank who didn't have his system configured to lock my account after X number of failed logon attempts.....

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    8. Re:Am I the only one... by Mister+Whirly · · Score: 4, Funny

      "Probably would have been in the best interest of the shark to stick to eating seals "

      Undoubtedly. Everyone knows seals are terrible shots with rifles.

      "Guess it would have been a pretty lousy movie if all the shark did was eat seals though......"

      I would watch that movie over anything starring Kevin Costner or Ben Affleck any day!!

      --
      "But this one goes to 11!"
    9. Re:Am I the only one... by Binestar · · Score: 4, Informative

      Ok so it doesn't apply to the current round of updates, but I used to admin a server that couldn't be upgraded to 2000 SP4 - trying to do so would cause irreparable damage (Full restore from backup, every single time). It's one thing to abuse an admin for not applying a patch, it's another to be that admin and making sure that adding it will work ok. The only sane security policy in a situation like that is protecting the internal network, but you can't protect a file server from an SMB attack if you need it to be a file server - and if you can't patch it for whatever reason......

      If you can't patch it for some reason you fix the reason the patch fails. If that involves a server upgrade to 2003, then so be it. Hell, you mentioned it's an SMB attack and you can't protect against that if you're a file server. While true in a sense, you *can* protect against it by making sure all the non-file servers on the network aren't vulnerable. Make sure you don't use that machine for anything other than the applications you need (certainly don't use it as a terminal server as well). Have a security policy in place that makes it so you can't add vulnerable computers to the network, have a firewall between the company and the internet, etc.

      This is something people don't understand until it happens to them, but security is serious business, if you have a server that has a must have application on it and you don't keep that thing #1: Backed up, #2: Up to date with security, you are just waiting for either data loss or time loss on the server.

      If you can't afford to replace a server in that condition, then you likely can't afford the IT professional you hired to run it.

      Hardware is inexpensive, especially considering you're running on Windows 2000 pre-SP4, you can get a low end server as a replacement and it'll be a very good upgrade. That's not even considering if you can replace with something other than windows or not!

      --
      Do you Gentoo!?
    10. Re:Am I the only one... by Shakrai · · Score: 4, Funny

      Everyone knows seals are terrible shots with rifles.

      Yeah but they are pretty deadly with handguns ;)

      I would watch that movie over anything starring Kevin Costner or Ben Affleck any day!!

      What if we could feed them to sharks?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  2. Clever but... by Shrike82 · · Score: 4, Insightful
    Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it. We already established that the worm exploits a vulnerability that was patched before its realease, and we've speculated that therefore it's mainly affecting users who are clueless about security, and therefore unlikely to even realise they have a problem?

    From TFA:

    To scan you network quickly for Conficker infections before the next variant breaks this new techinque, we recommend this command: nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]

    Now forgive me but people like my parents (running Windows 98 until last year, now on XP) with no idea about security, no anti-virus scanner (despite my lectures over the phone) and no idea what the symptoms of a virus, worm or other malware, are not going to find this information, nor know what to do with it if they did.

    Computing professionals might have little trouble detecting and removing Conficker, or are safe in the knowledge that they were protected before its release, but we'll still have to deal with the consequences of a botnet comprised of infected computers belonging to people with little or no technical computer knowledge.

    --
    You can advertise in this sig from as little as £99.99 a month!
    1. Re:Clever but... by flyingfsck · · Score: 3, Insightful

      Clearly, your parents don't have a problem. They have a child that can fix things for them. On the other hand, you have a problem, so you should install a reverse VNC client on their machine so they can connect to you for support.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:Clever but... by Shrike82 · · Score: 4, Funny

      There are two possibilities:

      1) I started writing a question, got distracted half way through and then finished the sentence as a statement
      2) I accidentally put a full stop instead of a question mark
      3) Conficker performed a man-in-the-middle attack and messed with my punctuation

      You can pick the answer you like best.

      --
      You can advertise in this sig from as little as £99.99 a month!
  3. Re:This sounds like a temporary measure... by radtea · · Score: 4, Insightful

    Doesn't this sound like a temporary measure

    You say that like you think there's an alternative. There isn't.

    The viral ecology is an real ecology, where like all ecologies nothing is stable and everything is temporary.

    What this demonstrates, though, is that there are inherent limits to viral capabilities, because with added capability there is added vulnerability. This is true for OS's but it is equally true for viruses (yes, that is a correct English plural, ok?)

    So as virus programs get more complex and capable, they will generally also become more open to detection via exploitation of exactly those additional capabilities.

    --
    Blasphemy is a human right. Blasphemophobia kills.
  4. Re:Happy middle? by Trikki+Nikki! · · Score: 5, Funny

    I would just like to say that I read Slashdot at work, and in the future I would appreciate if you people could stop posting comments that cause me to giggle uncontrollably and thus urinate in my cubicle. It has become a great concern to my boss, as I am unable to explain the real reason behind my lack of bladder control. Thanks in advance.

    --
    i r in ur /.s girling up ur storiez