Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Conficker detection tool released as D-Day nears

Researchers on Monday released a scanning tool that will allow IT departments to remotely and automatically scan their networks for Conficker infections.

The free offering, which also has been integrated into popular vulnerability scanning solutions -- including open-source Nmap -- identifies machines that have been compromised by the infectious malware that is believed to be impacting up to an estimated 10 million machines worldwide. The tool was developed by the nonprofit research group Honeynet Project, with the help of Dan Kaminsky, best known for last year uncovering a major design flaw in DNS.

Conficker began spreading last fall by exploiting a now-patched Windows Server Service vulnerability (MS08-067). Essentially it worked by sending a specially crafted Remote Procedure Call (RPC). Once on the machine, Conficker released its own patch for the vulnerability, so that no other malware could also take advantage of it. In cases where Conficker made it on to already patched machines through another vector -- either through removable media devices or by copying itself to network shares, using brute-force password-guessing -- the worm overrode Microsoft's official patch.

But this tool was written so that it can differentiate between machines that have the Microsoft patch, or the rogue fix offered by the authors of Conficker, Kaminsky told SCMagazineUS.com on Monday.

"It doesn't deploy the Microsoft patch," he said of the worm. "It deploys its own patch. It's different code, and their code isn't very good. Their cheap little fix can be differentiated from the real thing."

The tool appears to have been released just in time. On Wednesday, machines infected with the latest variant of the worm, Conficker.C, is set to check in with some 50,000 domain names for further instructions. Much has been made of what the day will bring (perhaps a massive spam assault or an outbreak of stolen data?), but Kaminsky said the best way to deal with the possible consequences is to detect the infection.

"Nobody knows what Conficker is going to do, and that's a hard thing to tell a reporter," he said. "Who's doing this? What do they want? What's going to happen on April 1? We just don't know. It's hard to get IT to respond to a 'We just don't know.' What I can do is make things a lot less expensive for IT departments to measure the impact of this vulnerability. It says, 'This box is running Conficker.'"

Before now, businesses that were trying to determine if their host machines were infected had to go through a manual and time-consuming process, Kaminsky said. Administrators could check individual machines for registry or DNS changes that prevent the user from receiving security updates or visiting anti-virus maker's websites. Or, they could monitor for outbound traffic -- a sign the worm was "phoning home" to its command-and-control center; however, this tactic wouldn't work with the Conficker.C variant because the code is not instructed to act until Wednesday.

Wolfgang Kandek, CTO of Qualys, which has incorporated the tool into its vulnerability scanning engine, said these techniques only work on machines that an IT department knows about.

"Many companies do not have credentials for all the machines they're responsible for," he told SCMagazineUS.com.

Kandek said the Honeynet tool is "fast and powerful" and "very easy to deploy."

"This lets you run it over 100,000 nodes over lunch as opposed to walking from machine to machine," Kaminsky said.

As for what will happen on Wednesday, nobody knows for sure. However, there has been an increasing push by security experts to dispel some of the hype around the activation date. Many believe that computers infected with the worm merely will receive an updated version, and no major attack will unfold.

The Internet Corp. for Assigned Names and Numbers (ICANN), which manages the assignment of domain names and IP addresses, issued a statement Monday "cautioning against overreaction to an increasing public fervor encircling the worm."

The group's chief internet security adviser, Greg Rattray, said users likely will not see any internet disruption.

"My personal opinion is that the April 1 activation of the new algorithm may simply be a distraction, a kind of practical joke on the part of the worm authors," Joe Stewart, director of malware research at SecureWorks, wrote in a blog post on Friday. "Conficker may not be something to laugh about, but it's also not quite as serious as one might believe from reading about it in the press."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.