Honeynet Project finds way to fingerprint Conficker infections

Just days ahead of an April 1st activation date for the Conficker worm, a pair of security researchers from the Honeynet Project have scored a major breakthrough, finding a way to remotely and anonymously fingerprint the malware on infected networks.
Now, with the help of Dan Kaminsky and Rich Mogull, off-the-shelf network scanning vendors, including the freely available nmap, have the ability to quickly detect Conficker infections.

Just days ahead of an April 1st activation date for the Conficker worm, a pair of security researchers from the Honeynet Project have scored a major breakthrough, finding a way to remotely and anonymously fingerprint the malware on infected networks.

Now, with the help of Dan Kaminsky and Rich Mogull, off-the-shelf network scanning vendors, including the freely available nmap, have the ability to quickly detect Conficker infections.

“You can literally ask a server if it’s infected with Conficker, and it will tell you,” Kaminsky said in an interview. “Usually, we get to scan for a vulnerability but, because Conficker actually changes the way that Windows looks on a network, we now get to scan and get a “this box is infected” message which is pretty rare.”

All the credit for the breakthrough goes to the Honeynet Project’s Tillmann Werner and Felix Leder, two German researchers who figured out that malware tries to patch the same security flaw (MS08-067) that it exploited during the initial infection.  Conficker uses a binary patch — NetpwPathCanonicalize() works quite a bit differently — which means that network scanners can pinpoint the existence of the malware.

The Honeynet Project has released proof of concept scanner and, later today (March 30th), enterprise-class scanners are expected to follow suit.  They will include Tenable (Nessus), Foundstone, nmap, ncircle, and Qualys, Kaminsky said.

The nmap scanner is freely available.

The Conficker malware is programmed to generate thousands of domain names a day and, on April 1st, infected machines will start calling home to the authors for further instructions.  However, as Joe Stewart explains, this does not mean there will be a computer meltdown on April 1.

Here’s why you shouldn’t fear the worm’s activation date:

  • Conficker.C is already able to receive updates via its P2P protocol today, so focusing on the April 1st date is misguided.
  • Don’t underestimate the reach of the Conficker Working Group. These are the security industry’s heavy-hitters, and you can be sure they are working diligently to mitigate the domain issue.
  • Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly.
  • If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.

For the best analysis of what Conficker is — and isn’t — read this detailed analysis by SRI International.

*Graph courtesy of centr.org/

Suggested articles