The Conficker worm has infected several million computers since it first started spreading in late 2008. In this paper German developers presented several potential methods to repel Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. They also provided freely available tools including source code on their website. They also described how to use these findings which allows system administrators to quickly and easily scan their networks for infected hosts and to create rules for use in intrusion detection systems. Developers already started to integrate these findings in their network security scanner and equivalent tools like Nmap and Nessus. This article shows how to use four different methods to scan for Conficker infected machines in your network.
1. Using ngrep
Ngrep is a pcap-aware tool that allows you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic.
According to the paper mentioned above you can use ngrep as a “minimal Conficker IDS” to detect Conficker.B like this:
ngrep -qd eth0 -W single -s 900 -X
0xe8ffffffffc25f8d4f108031c4416681394d5375f538aec69da04f85ea4f84c84f84d84fc44f9ccc497365c4c4c42cedc4
c4c494263c4f38923bd3574702c32cdcc4c4c4f71696964f08a203c5bcea953bb3c096969592963bf33b24699592514f8ff8
4f88cfbcc70ff73249d077c795e44fd6c717cbc404cb7b040504c3f6c68644fec4b131ff01b0c282ffb5dcb61f4f95e0c717
cb73d0b64f85d8c7074fc054c7079a9d07a4664eb2e244680cb1b6a8a9abaac45de7991dacb0b0b4feebeb 'tcp port 445
and dst net 127.0.208.0/24'
Please use other signatures accordingly.
2. Using nmap
Nmap is a free and open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.
The latest BETA version is now able to detect Conficker. Just download the latest development release (4.85Beta6) from here, compile and install it like this:
bzip2 -cd nmap-4.85BETA6.tar.bz2 | tar xvf -
cd nmap-4.85BETA6
./configure
make
su root
make install
Use this command to detect the worm on your target networks
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 192.168.111.0/24
For large-scale scans, you may invoke nmap with some optimisations parameters: nmap -sC -PN -d -p445 -n -T4 --min-hostgroup 256 \
--min-parallelism 64 --script=smb-check-vulns \
--script-args=safe=1 10.0.0.0/8
3. Using Nessus
The Nessus Vulnerability Scanner is free to download and subscriptions for vulnerability updates from Tenable. Commercial organizations which use the Nessus vulnerability scanner must purchase a ProfessionalFeed subscription to scan their networks. Home user will get a license for free after registration.
Nessus is available for almost all platforms (Linux, FreeBSD, Solaris, MacOS X and Windows). Download the software here:
Once your scanner has been registered to Nessus.org, it will automatically update its set of plugins every 24 hours. To determine whether your scanner has properly been registered or not, type:
/opt/nessus/bin/nessus-fetch –check
You should obtain the following output:
nessus-fetch is properly configured to receive a Professional feed
or:
nessus-fetch is properly configured to receive a Home feed
Once your scanner is registered, simply make sure that the option 'auto_update' is set to 'yes' in /opt/nessus/etc/nessus/nessusd.conf (this is the default).
The following command is used to update the Nessus scanner manually with the most recent plugins:
/opt/nessus/sbin/nessus-update-plugins
The Conficker detection plugin you will find in the plugin “family” Windows:
Nessus plugin #36036 performs a network based check for Windows computers infected with a variant of the Conficker virus. The scan does not need credentials, but does require ports 445 or 139 to be open between the Nessus scanner and your scanned systems.
Simply use just this plugin for a quick check in your network environment.
4. Using the tools provided by the Institute of Computer Science in Bonn Germany
There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses. Felix Leder and Tillmann Werner provided a python script scs.py that implements a simple scanner based on this observation.
Download it here and run it like this:
./scs.py [target IP]
Besides just scanning for infections, these findings can also be used to prevent Conficker from running. This works like a vaccination. The system checks for the presence of particular mutexes and therefore other services that need them cannot run. For a permanent resistance against Conficker variants .A, .B, and .C, they developed a DLL (Nonficker.dll) that can be loaded by any process. If this DLL is loaded before Conficker is executed by Windows' svchost, such as when the MS08-067 vulnerability is exploited, Conficker will terminate immediately, without performing any actions.
|
