Researchers and network-scanning companies scrambled over the weekend to add a technique for detecting Conficker-infected computers, after two members of the Honeynet Project discovered a way to detect machines compromised with the widespread worm.
In a yet-to-be-released paper, the two researchers — Felix Leder and Tillmann Werner — described flaws in the way that Conficker changes compromised systems, according to well-known researcher Dan Kaminsky. While reading the paper during the review process, Kaminsky hit upon the idea to use their research as part of a general network scanner to detect the worm without having access rights to the system.
"You can literally ask a server if it's infected with Conficker, and it will tell you," said Kaminsky, who is the director of penetration testing for security firm IOActive. "It is taking a advantage of a quirk in Conficker that blocks legitimate requests."
The Conficker worm started spreading last November, using a just-patched flaw in Microsoft's Windows operating system. Computer systems infected with the latest C version dubbed Conficker.C, Conficker.D and Downadup.C by different security firms will begin generating a list of 50,000 psuedo-random domain names every day starting April 1 and attempt to download commands from 500 of those domains.
A group of security firms, Internet service providers and response groups banded together, calling themselves the Conficker Cabal, to do just that. However, the creators of Conficker managed to dodge the Cabal's defenses. On March 5, about 20 percent of Conficker-infected machines updated themselves from the B variant to the C variant, according to an analysis by SRI International. Two weeks later, about half the remaining machines successfully updated, the researchers wrote.
Prior to the release of the networks scanning code, companies would have to check each possible system manually or have remote login access rights, said Wolfgang Kandek, CTO of vulnerability-scanning firm Qualys.
"We already had the detection when you login, but remote detection is so much nicer from an enterprise perspective," he said.
Qualys engineers worked long hours on Sunday to incorporate the code, Kandek said. Other companies that have incorporated the scanning technique into their products include Tenable, McAfee, nCircle and the open-source NMap scanner.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos