March 30th, 2009

German researchers score Conficker detection breakthrough

Posted by Ryan Naraine @ 7:06 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Malware, Microsoft, Patch Watch, Research, Responsible disclosure, Viruses and Worms, Vulnerability research, Windows Vista

Tags:

Just days ahead of an April 1st activation date for the Conficker worm squirming through the Windows operating system, security researchers at the Honeynet Project have scored a major breakthrough, finding a way to fingerprint the malware on infected networks.

Now, with the help of Dan Kaminsky and Rich Mogull, off-the-shelf network scanning vendors have the ability remotely (and anonymously) detect Conficker infections.

“You can literally ask a server if it’s infected with Conficker, and it will tell you,” Kaminsky explained.  “Usually, we get to scan for a vulnerability but, because Conficker actually changes the way that Windows looks on a network, we now get to scan and get a “this box is infected” message which is pretty rare.”

[ SEE: CBS 60 Minutes covers Conficker, malware epidemic ]

All the credit for the breakthrough goes to the Honeynet Project’s Tillmann Werner and Felix Leder, two German researchers who figured out that malware tries to patch the same security flaw (MS08-067) that it exploited during the initial infection.  Conficker uses a binary patch — NetpwPathCanonicalize() works quite a bit differently — which means that network scanners can pinpoint the existence of the malware.

The Honeynet Project has released proof of concept scanner and, later today (March 30th), enterprise-class scanners are expected to follow suit.  They will include Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys, Kaminsky said.

The nmap scanner is freely available.

The Conficker malware is programmed to generate thousands of domain names a day and, on April 1st, infected machines will start calling home to the authors for further instructions.  However, as Joe Stewart explains, this does not mean there will be a computer meltdown on April 1.

Here’s why you shouldn’t fear the worm’s activation date:

• Conficker.C is already able to receive updates via its P2P protocol today, so focusing on the April 1st date is misguided.
• Don’t underestimate the reach of the Conficker Working Group. These are the security industry’s heavy-hitters, and you can be sure they are working diligently to mitigate the domain issue.
• Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly.
• If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.

For the best analysis of what Conficker is — and isn’t — read this detailed analysis by SRI International.