Containing Conficker

conficker

With all the noise about Conficker turning your computer into liquid hot magma on April 1st, there’s actually some positive news. Researchers from the HoneyNet Project have been following the worm since infections started in late 2008. They recently discovered an easy way to identify infected systems remotely. Conficker attempts to patch the MS08-067 vulnerability during infection. A flaw in the patch causes the machine to respond differently than both an unpatched system and an officially patched system. Using this knowledge, the team developed a proof of concept network scanner in python to find infected machines. You can find it in [Rich Mogull]’s initial post. [Dan Kaminisky] has packaged it as an EXE and has instructions for how to build the SVN version of Nmap, which includes the new signature. Other network scanner vendors are adding the code as well.

In conjunction with this detection code, the team has also released the whitepaper Know Your Enemy: Containing Conficker. It discusses ways to detect, contain, and remove Conficker. They’ve combined this with a tool release that covers Conficker’s dynamic domain generation among other things.

50 thoughts on “Containing Conficker

  1. If rustock.c was propagated via a shellcode dropper engine we’d all be ‘ficked’. This is just a DLL that uses encrypted connections to lists of remote servers. It uses random file names and av locker stuff too, but it still loads off the native windows service tables.

    I think vista and 7 DRM will eventually be cracked to load unsigned drivers allowing kernel mode rootkits to keep on trucking. Even if not userland stuff can still be just as dangerous, 64bit users aren’t protected either, you can get pass driver signing on SP2C x64 XP even from the shell, and you can still DDK a 64bit driver that hooks and moves around low level abstractions from device interrupts up to kernel tables.

    The perfect malware would be kernel or user mode, either one+ a good threaded mutating packer+ a shellcode dropper using multiple++ vulnerabilities in native services such as tcip.sys server table checks(would allow infection even on dead ports SYN or whatever), and a lot low level file system and kernel table hooking.

    The fast spreaders all use SMTP or shellcode droppers. Some of the email ones use browser vulnerabilities in the body, but that’s rare.

  2. i can never understand the people that just mindlessly say ‘use linux’ to any sort of computer problem. depending on the user(s), doing a switch from windows to linux may solve security issues at the expense of user aggravation. i’ve been trying linux as a server OS and more recently as a workstation OS for ~4 years and i still get aggravated because of linux (used as a blanket statement to cover many things).

    the root problem here is not conficker infected computers, it’s irresponsible/dumb/lazy/whatever people that don’t know anything about computer security, like antivirus software, patching, and common sense (like attachments, extensions, and so on). i’ve seen it so many time that people propose linux (or some other open source thing) to a problem while not ever evaluating the problem or seeing if linux is truly the best solution out there.

  3. Someone in the Slashdot comments mentioned an even simpler method than this one, just write a script to have each of your computers try to ping clamav or one of the other blacklisted av’s, of course you need enough access to be able to run the check, but for most admins I doubt that would be a problem.

  4. @cornelius

    They don’t mindlessly say it. Some of the best computer users prefer linux systems because they are simply ‘better’ for most advanced users than windows; this is the same as people who think manual transmissions are ‘better’ than automatics.

    if the users are too stupid (read: aggravated) to switch platforms, they shouldn’t be angry with the people who are smart enough to operate both.

    It disgusts me that it takes a virus (wasting the person’s talent) to show that windows is not secure, no matter what you think.

  5. This is what I hate about the stupid “online media” who seems to want to bash windows without checking sources.

    THE PATCH FOR THE BUG THAT CONFICKER ATTACKS WAS RELEASED BEFORE CONFICKER CAME OUT.

    Linux has had security holes before, and certainly some were exploitable–but most people using linux had them patched, and those who didn’t get them patched got lucky because virus authors don’t bother actually trying to hack linux for anything past proof-of-concept.

    IT IS THE USER’S RESPONSIBILITY TO PATCH THEIR SYSTEM.

    I don’t know how linux somehow inherently is more capable of getting a user to keep their system updated.

    I don’t see how this report is anything new. After hearing about the conficker nonsense a while ago, I did a bit of research and apparently the “patch” conficker does is deliberately broken to allow conficker to reinfect the computer. It should have been fairly easy given the data in that report to make a program that did this.

    Honestly, I’m really damn disappointed at hackaday and all the other online sources which seem to be going crazy over this little tiny virus that exists basically purely because of the fact that PEOPLE ARE STUPID.

  6. @threepointone

    “I don’t know how linux somehow inherently is more capable of getting a user to keep their system updated.”

    Because generally linux users are not idiots (i’m not trying to be offensive here, let me explain).

    Windows and many of it’s applications are made so that you can point the mouse and click the button that says something to make you happy and it does what ever the button said. Then when finished, most users don’t even turn the computer off.

    Linux generally requires some knowledge to install (windows comes preinstalled) and configure, even if through some GUI type menu. Everything is not handed to you on a silver plate in linux, which means you are more likely to try and protect it. Also linux kernel updates are usually tested much more thoroughly than windows, because microsoft just needs to cover their own asses for legal purposes.

    @girrrrrr2
    Just click the link to the executable above then open a command prompt and type scanner (your computer name or IP or i think 127.0.0.1 will work)

  7. Spork, you’re a terrible Linux troll. I mean that in the most pejorative way possible, and I frankly hope this helps you get your head out of your ass.

    Some of the best users? Is that from your personal bank of made up on the spot statistics? I can show you a bunch of Linux professionals who know nothing to Windows and vice versa. OS choice is a preference OR need, not a direct correlation of your IQ. I’ve used both Linux and Windows system, enjoyed both. Linux has it’s use and so does Windows. Would I qualify myself more brilliant than you for using one OS or the other? No. I’d qualify myself more brilliant than you for knowing there’s purpose to both and that both can be very extensible, secure and complicated at their times.

    An OS choice is nothing like a transmission type too. That’s a terrible analogy, as if you knew anything to different type of cars and car races, you’d know there’s a lot of automatic transmissions (the majority) that are more efficient than manual transmissions. A car computer is much more apt at switching gears than your slow and unreliable body.

    Finally, you obviously and clearly know nothing of how Windows works under the pretty GUI, regarding your kernel comment.

    And even then, I stay open-minded and always modest, as I know there’s always users who will know more on a topic than I.

  8. @threepointone

    Despite I like to bash Microsoft everytime
    possible just to piss off monkeys.
    The real truth is that people make viruses
    for the following reasons:

    1) They want to prove that target system is
    insecure.
    2) They want to show off him-selves to a
    restricted hacker group.
    3) They don’t like the target system or
    vendor, they only want to damage.
    4) They really want to exploit systems
    to make some $$.

    So, given that, lets look to GNU/Linux:
    1) and 2) The best way to do it on GNU/Linux
    is to send a patch to bugzilla and post
    it on the mailing list.
    3) There are zilion variants of a
    traditional GNU/Linux system making it
    hard to infect them all using the same
    method.
    4) Here 3) also holds true. I can also
    add that most of consumers running Linux
    have higher level of expertise that average
    billy joe running windows. To make this even
    less unprofitable, there are not enough
    consumer Linux boxens out there to justify
    this claim.

    So yes, we are perfectly secure running a
    Linux box. But lets not all remember to
    start using Linux at the same time or maybe
    I’ll have to start closing ports and
    taking paranoid precautions on my computers
    in near future.

    @cornelius

    <>

    Yes, you are right.
    Although default security provided by most
    of GNU/Linux distros is *GOOD*, after you
    starting using your brand new system you’ll
    have to take care of it. It’s not like
    install and forget.

    My home server is bruteforced a lot on the
    sshd service. Sometimes I look at the
    logged IPs to see who is it.
    Most of attackers are proxied by a hacked
    Linux box. From a few deep investigations
    I did, I can tell that breakin the cause
    was weak root (admin) password.

    So my point is:
    It’s *not* just because you are running
    Linux that you will be the security
    overlord. You have to secure it with good
    passwords, close any unneeded service
    to the public, be careful on what
    information you (admin) expose to the
    public, update regularly, inspect log files
    often, use a hardened Linux.

    A hardened Linux box will certainly come
    with most of apps running in a chrooted
    environment (to limit damage in a breakin).
    They will be running selinux (if properly configured, it will make near impossible
    to hack the computer).
    They will come with very secure configuration
    defaults.

    So yes, given all of that I can for sure say:
    – GNU/Linux is way more secure than Windows.

    If you guys don’t believe it, just google
    for selinux and try to explain me what
    would be the equivalent on a windows server.

  9. Situation and Question for the average user:

    You are trying not to make some one pregnant or become pregnant yourself. At your disposal are condoms and birth control pills.

    Do you:

    a) Put on a condom once and never change it?

    b) Take birth control one day and never again?

    c) Both renew the condom and renew the birth control when sexual intercourse is engaged?

    Compare that model to computers, replacing the penis with a virus, the uterus with a computer and the condoms/birth control with system patches and scanning tools.

    Similarity?
    Makes sense?
    Yeah.. I think there is an educational gap in computer security for the average user.

  10. ahh, the age old battle of linux versus windows…

    i prefer linux for most applications, particularly servers facing the cloud, but the truth is it is a predominantly windows world from a workstation point of view. why? mainly because most users simply want to use their computers and not spend their life administrating them.

    that being said, louis ii’s analogy above is pretty dead on. the core issue is user education but unfortunately I can tell you from personal experience that the large majority of users either do not want to learn how to secure their systems or cannot be bothered to regularly run antimalware tools, even free ones.

    why is this? perhaps there has not been a threat of sufficient magnitude to make them care. perhaps it is because the popular media and our educational system have manipulated people’s perceptions of those that are computer proficient to such a degree that it is uncool to be a ‘geek’ or a ‘nerd’.

    as long as people think it is uncool to know what is going on under the hood of their systems, malware such as conficker will continue to propagate. unfortunately, microsoft is fueling this philosophy by further abstracting end users from the inner workings of their computers with successive releases of windows.

  11. Additional question for the average user:

    You are at an orgy where no one is required to have sex and nobody is required to have tests for STD’s to get in. You personally know 3 of the people there each have the STD’s “HIV”, “Herpes” and “gonorrhea”. You do not have any know STD’s. You don’t want to get any STD’s.

    Given this bizarre situation do you:

    a) jump right in?

    b) jump right in with a condom (m/f types)?

    c) watch with out exposing yourself?

    A weird example, yes, but I think the point is clear:
    Your body is like a computer and the orgy is like the internet.
    If you want to be at tho orgy, but don’t want to get all the problems, it’s safer to not physically contact the participants.

    If you run a computer on the internet and don’t want to get the virus problems out there, it’s safer to avoid using things you don’t need (like random exe files and claims of sexy pictures in your e-mail.)

    Anyway… uhh.. *vanish*

  12. I think that in concept conficker could be used for good instead of infecting millions of computers for some doomsday April 1 scenario but still the person or people who made it must be incredibly intelligent

  13. thank you guys who are actually talking about the /virus/ (read: topic)

    i wish there was a better way to test for virus infections than downloading and running an exe from the internet

    i guess if i’m hesitant enough about the test exec, i’m probably safe enough with my computer to not need it :]

  14. I’ve always thought that one of the most effective things a virus could do (if someone wanted to do something meaningful rather than just steal data) would be to pop up a message explaining that their computer is infected, here is how to remove it, oh and you may want to contact Microsoft about focusing more on security or possibly consider an alternative operating system.

  15. i did some reading and the dorky avg free and kasperskey and a few other anti virus programs allready have conficker in their database so if you kept your anti virus updated your safe!! but seriously if you cant take care of your computer and update it or even take care of it properley, some one should take it away from you, similar to cps. “knock knock, hello sir your too stupid to use the Internets were here to take your computer away.”

  16. @thatuser

    I made the comparison to transmissions because manuals offer more control to the user. Automatics can be more efficient if tuned to the exact purpose of the car (like racing or stop and go traffic), and autos can be better all around because the “user” can shift according to the driving conditions at any given time.

    I didn’t say that a users IQ was determined by their OS of choice, I said that people who solely use windows because it came installed and understand nothing about it are “stupid” and I meant that to be specific to computers, not in general. Many gardeners know a ton more about botany/gardening than I ever care to understand and I consider them smart, just not when it comes to computer use.

    If you understood my comment from my point of view or at least not so egotistical to think that you know more than I just from a simple post, you would probably agree.

  17. Conficker.A and Conficker.B can both be removed using free software like F-Secure’s Downadup removal software as well as bdtools which was made just for this. However Conficker.C has to be removed manually still. In just another day a fix will be made for it. You can view the Microsoft site for more information on how to remove this manually.

  18. Linux has user policies that effect processing and file system access out of the box. It also has stack protection.

    On windows it’s called group policies and data execution prevention(or dep.) The two things the masses don’t use because of the inconvenience, and ms doesn’t enable by default because it restricts file access and messes up a lot of programs that use memory tricks(same thing happens on linux for the record.)

    Linux uses mostly the same abstractions as windows does, it just gets fast patches because of source repositories and mailing lists(open source,) and as stated before has policies enabled out of the box.

    The stack protection in windows is way better compared to propolice(openbsd) and what’s in fedora 10. None of them protect again non-stack memory corruption like heap overflows etc.

    The silly little toys who say reformat or switch to [your distro here] are mindless consumers who don’t know the first thing about software engineering, debugging, or even the simple concept of thinking in abstract.

    Next time you see a ‘brand new geek’ ask them how to compile a boot loader and 2.6 kernel to run on 16MB RAM..with high level user land packages for a desktop environment.

    Geek culture is a marketing demographic symbolized by thick frame glasses and themed social order. The people actually writing what all the social bull shit is floating on top of are total rejects.. never mind the cheesy satire.

    Let them drink starbucks..

  19. tjhooker, wonderful post.

    Not sure how much you’ve read about stack protection on non-windows systems, but ProPolice is -ONLY- the compiler based protection included with linux systems. Just like Microsoft’s “/GS” switch when compiling.

    Other things like ‘libsafe’ help to protect against this (libsafe was ported to windows to protect against the same stack problems) as well as the implementation of non-executable address space in both windows and linux systems.

    I’m not arguing that linux or windows is better, just saying that they both implement several different mechanisms to stop problems regarding the stack.

    Just like to say that I scanned over 1200 windows clients on my domain today. All clean of this virus.

  20. @spork: Yeah I didn’t think about propolice being a compiler extension. I know there is some level of protection on f10 and openbsd, but I forget what they are. I know the dep protection on windows does more advanced stuff with pointers and canaries than the ones on linux and bsd including compiler extensions like propolice for gcc. It’s in a lot of lengthy articles.

    None of them protect against heap overflows though, and there are more algorithmic stack overflows and memory corruption variants they don’t protect against without using paging security from the CPU which is impractical with systems that implement 3rd party solutions not tailored to the architecture.

    Malware that does shellcode droppers are a minority though. The most complex engines are using smtp engines I guess for rapid propagation. People still run attachments. I think I seen a few that did browser vulnerabilities from html bodys.

    All the mutating packer code, kernel level hooking, and array of api hooking that went into rustock.c was wasted because they spread it via smtp.

  21. @TJHooker

    you are wrong.
    fedora 10 comes with selinux which (if used
    properly) applies aggressive MAC policies.
    even if you could get an heap overflow,
    you could not make it executable due to
    selinux policies.

    there is also grsecurity’s pax that prevents
    stack and heap memory corruption using memory flagging. it also does heap and stack
    randomization.
    (latest vanillas also do stack randomization
    for free).

    please read more about it before starting
    misleading people.

  22. @happypinguing: I don’t recall giving specifics, so under what logic am I wrong? You actually regurgitated what I stated in your first paragraph.

    I know about randomization and such, I read a credited article on shellcode attacks based on abstraction a long time ago, and it compared windows dep to stack defender, pro police, and selinux(platform irrelevant) etc..

    dep does better randomization and predictions along with pointer tracking.

    My overall point is that windows has equal or better security than linux, it’s just not enabled out of the box. You configure group policies and and enable dep a remote exploit has the same effect on windows as it does on openbsd 4.4 and fedora 10 default policies.

    I agree microsoft is a big scary corporation with greedy licenses and anti-trust issues, but we live in a materialistic dog eat dog world, and they’re just doing better at screwing other people over than everyone else through ease of implementation and practicality.

    Linux is nice and all, but try implementing it as a work station solution in a small-medium sized company and see how much it costs to manage and train around it. Most companies use it on backbones for this reason.

  23. @TJHooker

    OK, I’m sorry. This paragraph from you
    made me understand that you made no idea
    what you were talking about (linux):

    “The stack protection in windows is way better compared to propolice(openbsd) and what’s in fedora 10. None of them protect again non-stack memory corruption like heap overflows etc.”

    Since propolice is “only” a compiler flag
    and rather rudimentary mechanism (it
    only prevents a limited set of
    memory corruption attacks),
    I tried to explain what more is available
    to linux systems. :)

    So, my “you are wrong” statement was regarding
    the fact that Linux has indeed (with
    specific, non-vanilla patches) stack and heap
    memory corruption protection that is
    contradictory to your quoted claim.

    I really don’t know much about microsoft dep,
    but I can tell for sure that linux pax
    can take advantage of the NX bit and emulate
    it in case it is not present in the
    hardware, which seems pretty much what
    dep do.

    “dep does better randomization and predictions along with pointer tracking.”
    It is not my interest or either I have the
    means to verify this claim, so I’ll believe
    it for now.

    “My overall point is that windows has equal or better security than linux, it’s just not enabled out of the box”
    What is it useful for then, if it is
    disabled? :P
    That’s the main problem. Sysadmins *CANNOT*
    be uninstructed people. IMHO Microsoft is
    guilty on this one for their OS for dummies.

    Believe it or not, the same is happening on
    the opensource community. With the
    introduction of ubuntu (which was not bad
    at all), I’ve started to see the SNR level of project’s mailing lists decreasing a lot.

    “I agree microsoft is a big scary corporation with greedy licenses and anti-trust issues, but we live in a materialistic dog eat dog world, and they’re just doing better at screwing other people over than everyone else through ease of implementation and practicality.”

    I’m not with you on this one. While our
    economy is capitalism driven, most of us
    don’t care.
    While money is good for living I belive we
    should not live for money.
    I do computer sciences research for a living
    and I *hate* microsoft for what it is been
    doing for all this years. it killed a lot
    of good projects (either by buying them or
    by lawsuit flood).
    I entirely believe that we would be way
    ahead in research and technology if microsoft
    wasn’t here.
    Considering the company size, it was expected
    that they produce more innovation, instead
    of copying/cloning everything that moves.

    “Linux is nice and all, but try implementing it as a work station solution in a small-medium sized company and see how much it costs to manage and train around it. Most companies use it on backbones for this reason.”
    Indeed.
    I don’t think “linux is for everyone” (TM)
    either.
    I love linux because it oversimplifies
    (as in methodology) software research.
    I could tell you a lot of jokes about
    colleagues of mine spending a lot of time
    doing things on windows that would be done
    in a matter of seconds using a few bash lines
    on linux, like copy pasting unformatted data
    to excel one-by-one at hand : \

    It was nice to talk with you all,
    thanks for your time.

  24. i use free pirated windows xp sp2 fresh install without any update since 24 December 2006, no antivirus installed just some security & performance tweak using various softwares. why im not infected? why i never get virus infection? i tried online scan few days ago,yet no virus detected…can someone tell whats wrong with my windows?

  25. @happypinguin: Both windows and linux use custom allocators and/or nx bit on all the above mentioned solutions. SELinux has it enabled out of the box, and NT SP2+ systems have it through optional dep.

    What selinux calls heap protection is a allocator algorithm. Basically a sort algorithm that works with frames. Simple shellcode payloads are defeated by it, but allocators have been around since the nineties and continue to be defeated through trampoline techniques and such. there have been a lot of xor allocators defeated through trampolining of native processes and tables both on linux and windows.

    I guess technically it is protection, but I didn’t give that credit to windows either, windows just has better randomization and obscurity.

    The software emulation of nx bit on both platforms are also allocators that just flag frames.

    You might know something I don’t. I don’t monitor the innovations that much. I just know it’s not effecting my work and I have 9x and nt installs over and almost a decade old now. reformatting is like buying a new car when a battery needs replaced.

    I’ve been a fan of openbsd for a long time and use it exclusively on servers and some laptops. I have about the same level of security on my nt machines as I do my thinkpad with an anally retentive configured openbsd 4.4 install on it. If people don’t have restrictions on processing and file systems the system is going to get hit hard even on top of perfect code and hardware.

  26. @Charlie @jimslipper

    I didn’t even enter the job market yet.
    Like I said, I do research at the
    University and I’m very well paid.

    Maybe you both quited from University? : \

    PS: I don’t usually reply to morons,
    specially when I’m under a fake alias and
    have nothing to defend about myself.
    But, you both need to see that nothing is
    what it looks like.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.