Conficker flaw yields new tool for detection

By Robert Westervelt, News Editor 30 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Security researchers have developed a new tool that can scan the company network and remotely detect machines infected with the Conficker worm.

A proof-of-concept scanner was released by the Honeynet Project, a non-profit security research organization. The tool is also being made available on many network scanning vendor tools: Tenable (Nessus), McAfee/Foundstone, Nmap, nCircle and Qualys.

Conficker/Downadup: Microsoft calls next Conficker variant 'manageable': The next version of Conficker expected April 1, should be treated like any other malware attack, Microsoft said in a message to customers. Conficker botnet ready to be split, sold: Conficker's peer-to-peer update method allows the owner to sell pieces of the botnet to the highest bidder, experts say.   Microsoft offers $250K bounty for Conficker writer: It's not the first time the software giant issued a reward for information leading to the arrest and conviction of a virus writer.

The tool was designed by Tillmann Werner and Felix Leder of Honeynet. The two researchers have been working with network security expert Dan Kaminsky, director of penetration testing for security firm IOActive Inc., to study Conficker's profile on the network. Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC, is helping coordinate the release to network scanning makers. A technical paper describing their research is due out later this week.

The tool uses a flaw in the modified MS08-067 patch Conficker deploys to shield infections from system administrators and guard against other cybercriminals attempting to exploit the Microsoft vulnerability. The researchers that designed the tool said the window of opportunity to run the scan could close quickly if Conficker's author updates the modified patch to correct the issue.

"We need to outrun the bad guys this time," Mogull said. "We have an opportunity but now we have to execute on that opportunity fairly quickly."

Until now, detecting Conficker was a time consuming process. Tools are available to detect the worm on individual machines.

Mogull said the tool currently detects all Conficker variants and will be updated once feedback is received. An NAC vendor is also adding the feature to its product to detect infections on devices prior to connecting to the network, Mogull said.

SearchSecurity radio:

The Conficker/Downadup worm started spreading in October, exploiting a Microsoft remote procedure call (RPC) zero-day vulnerability. Microsoft released an emergency out-of-band patch, but infections continued to spread globally reaching as many as 10 million machines at its peak.

Security experts are keeping their eye on the next iteration of Conficker/Downadup. Beginning April 1, the worm is expected to draw 500 domains from 50,000 domain names generated per day instead of 250 domains it selected with previous versions. It also has a peer-to-peer (P2P) mechanism to update other Conficker infected machines.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary