back to article Busted! Conficker's tell-tale heart uncovered

Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines that is easy to detect using a variety of off-the-shelf network scanners. The finding means that, for the first time, administrators around the world have …

COMMENTS

This topic is closed for new posts.

Page:

  1. Dan Kaminsky
    Flame

    Just a quick note

    Heh, this is Dan Kaminsky, from the story. Just to make something very clear:

    Tillmann Werner and Felix Leder are the Honeynet Project researchers who actually noticed the behavioral shift introduced by Conficker. I've been doing work in fingerprinting lately, so I saw the opportunity to make it quite a bit easier to track down infected nodes in large organizations, but again, it was Tillmann and Felix who actually designed the fingerprinting logic that ultimately all these other organizations are integrating into their vulnerability scanning systems.

    This is one small part of what's actually some very fine research about Conficker. This is their baby, I've just been helping it fly.

  2. Jon

    Arpil fools

    At least we now know one thing it will do April 1st. Fix this fingerprint. Unless thats what security experts want and this is just a fools joke on the botnet owner to get them to do something expected on April 1.

  3. The BigYin
    Boffin

    Good

    Does this mean ISPs will now be able to scan for customer's infected PCs and block them from their networks?

    The (L)users who did not pay attention to their security should face be made to realise that they have a responsibility to themselves and other internet users to secure their systems. Either that or swap to an OS that isn't riddled with security holes.

  4. Anonymous Coward
    Unhappy

    Scanner instructions?

    All jolly fine for security researchers, but what are Microsoft Windows people supposed to do with a couple of Python files and a text file containing a few IP addresses (and no CR/LFs)?

  5. Anonymous Scotsman

    I for one

    would like to buy these researchers a round of drinks.

  6. Anonymous Coward
    Anonymous Coward

    Well Done White Hats

    Just in time and now the race is on for admins to secure before the 'event'

    Pity we have to spend time and money on all this

  7. Conrad Longmore
    Unhappy

    Ummmm

    Ummmm.. very clever. Now make a tool that admins can actually use.

    I'm just gonna have to learn Python in the next few hours I guess.

  8. Outcast
    Linux

    Kudos to the White Hats

    You just prevented a mass exodus away from Redmond

    Wait.......... !!

  9. Anonymous John
    Paris Hilton

    "We have no idea what Conficker is going to do on April 1,"

    Um. Why can't they infect a PC, and change the system clock?

  10. Anonymous Coward
    Anonymous Coward

    @Dan

    Babies do not so much fly as plummet.

    But I'm just being pedantic. Genuinely, thanks to you and your team for all the good work so far on this one.

  11. Anonymous Coward
    Stop

    too late

    So let's see, millions of home PCs infected with conficker that have windows update and antivirus disabled by it.

    They're not going to be disinfected within 2 days are they?

  12. Anonymous Coward
    Anonymous Coward

    Re: Scanner instructions

    Well I'm a Python newb as well so this is what I did:

    1. Download and install Python for Windows: http://www.python.org/download/windows/

    2. Download and unpack Impacket to a folder: http://oss.coresecurity.com/repo/Impacket-stable.zip

    3. Install Impacket by opening a dos prompt on the folder and doing "python setup.py install"

    4. Open a dos prompt on the scanner directory and type "python scs.py <start-IP> <end-IP>" and watch it go.

    My network was clean but it took a while to scan an entire class c

  13. The Harbinger
    Stop

    What about firewalls?

    It's all well and good but if the machine is closed on port 445 then it's not gonna find a thing.

  14. Anonymous Coward
    Paris Hilton

    Realy....

    Please get rid of the penguin and "good Jobs" logos. Then perhaps we would get less posters thinking obscurity = security.

    PH, because some people have as much of an idea as her.

  15. Anonymous Coward
    Flame

    @all you ACs

    Hah, come on, how hard is it to install python on your windows box?

    http://www.python.org/download/windows/

  16. Anonymous Coward
    Flame

    Que?

    Can someone explain why your antivirus software wouldn't pick up which machine have Conflicker? Most entreprise a/v products already report back to a central server on your LAN anyway.

    This reads like another of Dan Goodin's bi-weekly "My mate Dan Kaminsky told me he did this ..." stories.

    Do we not get a quote from Graham from Sophos too?

  17. Anonymous Coward
    Flame

    @Anonymous John (11:45)

    Because all that would tell them is that it's going to contact a server and await instructions, which believe it or not the clever people already know.

    It's the content of those instructions which isn't known, and won't be known until they're issued, which won't be until the deadline.

    It's like saying "I wonder what the weather will be like in two months time... I'll just wind my PC clock forwards and look at the weather reports for 'today'" - it just doesn't work.

  18. Anonymous Coward
    Anonymous Coward

    @anonymous John

    changing the system clock will only make the malware contact the controlling servers. If the malware writers have not issued any commands then nothing will happen. I would think that they will be issuing commands on 1st of April.

    A secure OS..... no such thing...... Open source has and still has security issues......

  19. Anonymous Coward
    Anonymous Coward

    Re: Scanner instructions?

    Make that a couple of Python files that don't even compile...

  20. Geoff Mackenzie

    @AC, Re: Realy (sic)

    Please, can we stop using this stupid argument now? Linux's superior security record is not down to obscurity. It is the majority webserver platform after all.

    It comes down to massive, continuous source code peer review and good kernel design. Windows NT lacks both and unless they open source it (and wait a couple of years for the massive refactoring effort that would follow) the writing's on the wall for this decrepit VMS clone.

  21. Ash
    Thumb Up

    @Scanner Instructions (additional)

    Run "Path=c:\python26" from command line, then follow commands above to resolve an error about Impacket directory not existing when running python.exe from the \python26 directory and referencing the full path where Impacket was extracted.

  22. Chronos

    Re: Scanner instructions?

    Caveat: I am not involved with this and have only just tried this myself.

    Prerequisites: Python, py-pcapy and py-Impacket (that's *i*mpacket, it's capitalised and the font used here doesn't really make that clear). Runs fine here with python 2.5.4, py-pcapy 0.83.0_1 and py-Impacket 0.9.6.0 (FreeBSD 7-STABLE).

    Run "python ./scs.py <start-ip> <end-ip>" or use the filename of a file that contains a list of IPs you require scanning as an argument in place of start and end IPs; the example supplied is Unix format, hence lack of CRs in notepad.

    If you're using Windows, be aware that the Windows MSI Python package is compiled with VS 7.1 and the extensions you need to build (py-pcapy, py-Impacket) also need access to that compiler, so will require much buggering about with bits and pieces of visual studio if you don't have a copy. You'll also need WinPcap. You're well advised to use a *nix box to run this.

    Example output when pointed at a lappy with the server service enabled:

    ----------------------------------

    Simple Conficker Scanner

    ----------------------------------

    scans selected network ranges for

    conficker infections

    ----------------------------------

    Felix Leder, Tillmann Werner 2009

    {leder, werner}@cs.uni-bonn.de

    ----------------------------------

    192.168.2.31 seems to be clean.

    HUGE thanks to the authors. We've needed something like this since Conficker/Downadup reared its ugly head.

  23. Robbie
    Joke

    awww shucks they found it!!

    well, back to the drawing board I guess.

  24. Stephen Jones
    Boffin

    Changing the clock

    Confliker is much better at this game than you guys. It checks a whole bunch of websites to confirm the time, it doesn't rely on the system clock. As for AV detection, it disables AV.

  25. Andus McCoatover
    Dead Vulture

    Look for headless bodies..

    ..with USB sticks, hung from their own petard, floating down the Moskva River on Wednesday. Aprillia!! (April Fool) Or, Апрель Идиот - more appropriate.

    Cunch of Bunts. Give the b'stards some Vogon poetry to write. Death's too good for them.

    Tombstone, natch

  26. Anonymous Coward
    Stop

    Re: Re Scanner instructions?

    @AC:

    " Make that a couple of Python files that don't even compile... "

    That would be because Python is a scripting language and is interpreted at run-time, no?

  27. Jason Bloomberg Silver badge
    Unhappy

    36 Hours to Disaster, and we're still Dancing on Deck

    So where's the one-click .EXE file for Windows users to at least tell them they have a problem or not, even if it doesn't remove the contamination itself ?

    It's all well and good saying "It's not hard to download Python", but I'm sure it's equally, "Not hard to have effective security in place to stop such infections", but let's not forget it isn't just corporates having problems who (hopefully) employ competant sysadmins ... so let's put that nonsense to one side and get on with dealing with the problem before the clock runs out.

    I llooked at the nmap site but couldn't see anything in the changelog which says what version I should be using, I don't care which paid for softwre will include detection, I want something I can download, run and breath a sigh of relief orknow which WAN cables to take the scissors to.

    Full marks for the industry "responding", but so far it seems to be near zero marks in providing tools your average user can actually use ...

    Unless someone knows differently ?

  28. Anonymous Coward
    Joke

    re @Anonymous John (11:45)

    works on my machine.

  29. Anonymous Coward
    Anonymous Coward

    nmap script

    Does anyone know how the conflicker scanning functionality will be available on nmap? nse script or new nmap release?

    Any links to it?

  30. Anonymous Coward
    Gates Horns

    One click exe for Window users?

    It's been here for ages: http://www.bdtools.net/

  31. Anonymous Coward
    Unhappy

    A/V

    How shit is an A/v product if a network distributed virus can disable it?

  32. Anonymous Coward
    Stop

    @Anonymous Coward

    Conficker doesn't rely on just the system clock. It gets updates from main stream websites as well for the time and date

  33. Anonymous Coward
    Anonymous Coward

    Hello Conflicker version 3.0

    Im looking at these russian coders who dont want to loose all these bots. Rewriting a few routines. And releasing the updates

    BBing bang bosh. Square one

  34. Pie

    Re: Scanner instructions?

    @AC:

    " Make that a couple of Python files that don't even compile... "

    you need to use python 2.6 not 3.

    Oh and the instructions were missing download http://iv.cs.uni-bonn.de/uploads/media/scs.zip !

  35. Anonymous Coward
    Anonymous Coward

    Re: Re Scanner instructions?

    "That would be because Python is a scripting language and is interpreted at run-time, no?"

    No. Python compiles down to byte code.

  36. Anonymous Coward
    Paris Hilton

    I feel dirty for commenting for support

    but i get an error and I'd quite like to get this running.

    c:\python30\python.exe scs.py 10.226.40.40 10.226.40.254

    gives invalid syntax error.

    would one of the python genii on here mind telling a noob what they're doing wrong?

    cheers

    PH cos i have as much idea about Python as her.

  37. Frumious Bandersnatch

    @AC 12:17

    > Make that a couple of Python files that don't even compile...

    Might that have something to do with Python being an interpreted language?

  38. Dr. Vesselin Bontchev
    Boffin

    Russian?

    There is no evidence that the authors of the worm are Russian. There is *some* evidence that they *might* be Ukrainian - but it's pretty slim; I wouldn't rely on it. Basically, we don't know who these guys are. But - patience. We'll find out.

  39. Pie

    re: I feel dirty for commenting for support

    try using python 2.6 rather than 3

  40. Greg Adams

    @AC 13:37

    You have to use Python 2.6 instead of 3.0. 3.0 has some issues that don't quite make it backwards compatible with 2.x.

  41. Richard
    Unhappy

    Damn...

    I was so looking forward to Wednesday

  42. 4irw4y
    Pirate

    Are G20' techs the First Clients?

    Hey what's the agenda for the Fools Day in your city?

  43. Anonymous Coward
    Anonymous Coward

    Mr. Kaminsky, please take your seat

    I believe his 15 minutes of fame are over. Now all he's doing is playing up sound bites whenever any "news" writer needs one from an expert.

    Yes kudos on the whole DNS thing. Please sit down and let someone else get a chance to speak.

  44. Pierre
    Dead Vulture

    Hehehe 2 days before DOOM!

    Or, most probably, 2 days before the next Conficker C insignificant update. The other variants (e.g. the B variant, you know, the most widespread one) call home constantly already, and we're not dead yet.

    ""We have no idea what Conficker is going to do on April 1," Kaminsky said."

    Well Mr Kaminsky might not know, but I think I have a pretty good idea. Nothing is gonna happen. Nothing noticeable at least.

    El Reg is beginning to look a lot like the Daily Mail.

  45. Neil Hoskins
    Joke

    @Dan

    So what's Alison Krauss *really* like?

  46. Lionel Baden

    @big Yin

    Rather than block them from their networks they could just redirect them to a fix page.

    But then again do the ISP's really want to take resposibiltiy of the traffic on their networks? i dont think so and i dont want it so

  47. Anonymous Coward
    Unhappy

    doh!

    Just found 9 machines on a network I partly look after. I'm guessing there are probably lots more that are either turned off or still have working firewalls.

    Many thanks to the authors!

  48. stuart Thompson

    (untitled)

    I just wanted to mention that for those people who use it, OpenDNS has been blocking the Confiker call home address' for weeks, they will also show in your dashboard if any machines have been attempting to call home.

  49. Anonymous Coward
    Stop

    query

    No resp.: ***.***.***.***.445/tcp.

    Is what I get on 98% of my machines that I scanned, is this correct or am I doing something wrong?

    "...seems to be clean."

    Is what I'm getting on a few of them, but not many...

    What message do you get if it finds an infection?

  50. Chronos
    Thumb Up

    Re: query

    If you have the server service disabled on the machine you're scanning, the No resp. is what you'll get because port 445 is closed. Conficker uses SMB and it's this that the tool is querying. IPs with no active machine on them will also show No resp.

    The code tells you what you'd get if you were infected:

    if result[1]==0x5c450000 and result[3]==0x00000057:

    print '[WARNING] %s seems to be infected by Conficker!' % ip

    retval = 1

    If you've turned off the server service on your boxen, congratulations, there's really no reason for client machines to use it. If you've turned off the server service, disabled autorun AND threatened your lusers with death if anything, anything at all connecting via USB or IEEE 1394 is found near the machines, you're *almost* immune from Conficker. If you've filled with Araldite the USB and IEEE 1394 ports on the client machines, removed all the DVD-RW drives and floppies, disabled the server service, riveted the cases shut and have a modified electric fence pulser on a stick to hand for lusers that never learn, GTFO, you're me ;o)

Page:

This topic is closed for new posts.

Other stories you might like