Conficker flaw reveals which computers are infected
Researchers find flaw in Conficker that lets them detect which computers have the legitimate Microsoft patch and which were "patched" by the worm itself.
Even worm creators write buggy software.
Once it infects a computer, the Conficker worm closes the hole in Windows that it used to get onto the system so no other malware can get in. This also makes it difficult for organizations to detect which computers have the legitimate Microsoft patch and which have the fake Conficker patch.
However, Conficker's "patch" has a weakness that can be used to distinguish between patched computers and infected computers that look patched, according to the nonprofit Honeynet Project.
Some of the researchers have released a proof-of-concept scanner that can be used to detect Conficker. The tool is being integrated into the free nMap vulnerability scanner, as well as scanning tools from companies including Qualys, nCircle, and Tenable. The tools are designed for use by network administrators at companies and not consumer users.
"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Qualys' remote-detection Conficker scanner is automatically available to its subscribers and will be available to others soon, said Wolfgang Kandek, Qualys' chief technology officer.
The worm has been around since November, but the most recent variant is programmed to connect to other computers on April 1 and as a result has triggered mass confusion and a media frenzy.
The worm exploits a vulnerability in Windows that Microsoft patched in October, as well as through network shares and removable storage devices like USB drives.
The latest variant shuts down security services, blocks connections to security Web sites, downloads a Trojan, and connects to other infected computers via peer-to-peer technology. It also includes a list of 50,000 different domains to reach out to for updated copies or instructions, but only 500 of those will be contacted on April 1. Earlier versions of the worm attempted to contact 250 domains.
A quick way to tell if your computer is infected is to try to access the Web site of a major antivirus vendor, which the worm blocks.
The U.S. Department of Homeland Security has released a Conficker detection tool for government agencies and state and local governments to use that ws developed by US-CERT.
The OpenDNS security services provider blocks access to the domains listed in the Conficker code. Microsoft has more information on its site, as does Symantec. The Web site of the Conficker Working Group, which is composed of companies allied to combat Conficker, also has information and worm removal tools.
Asked what impact the Conficker worm will have on Wednesday, Kandek said:
"I don't think anything is going to happen. Conficker authors are smart and determined people. They have a huge botnet in their hands, which they will try to get money from. It's better for them to fly under the radar and maintain as many machines from that botnet as possible. The real issue is this is a really good worm and...people are learning to write these things better and better."
Does that mean the next version will fix the flaw in the code?