Printers

Conficker Update: Methods to combat the malware

Researchers around the world have developed tools that will detect all versions of Conficker. That's a good thing, but why not just install the patch?

I realize I'm being somewhat sarcastic; still if your computer isn't infected the simplest cure is to install the patch associated with MS08-067. You will have to look at different resources if you think your computer is infected. Let's take a look at those options now.

Remove Conficker.A and Conficker.B

Since Conficker.A and Conficker.B have been around for awhile and aren't as deceptive as variant C, almost any decent anti-virus product will remove them. Microsoft's MSRT will as well. I've not heard if my favorite malware scanner MBAM has been successful in removing Conficker. Anyone?

Conficker.C is a different story

As I mentioned in a previous article "Conficker.C: April Fools or maybe not" the latest version of Conficker is going to be a problem. It's stronger, more deceptive, and has the ability to disable most security measures that exist on the infected computer. Fortunately, there have been some recent developments that will at least allow the detection of the malware.

Honeynet Project helps

Researchers from the Honeynet Project spearheaded the detection development effort, even creating several tools that will help determine if Conficker (especially variation C) has invaded suspect computers. Some of the tools are:

Downatool2

This tool mimics Conficker's code allowing it to create each day's domain names, which then are configured into scanner rules to locate infected computers:

"Different Conficker variants are checking different domains for updates every day. Conficker.A and .B are already generating and checking 250 domains each per day. Conficker.C will start to check for 50.000 generated domain names on April 1st.

The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C."

Conficker.C Domain Collision Table

The Honeynet Project has calculated all of the domain names for April 2009 and published them in a table:

"We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions. The following figure shows the number of collisions for each day."

Memory Disinfector

Honeynet Project members have developed a system memory scanner because system memory is the only place where Conficker's code is not encrypted:

"It's difficult to hard to identify files containing Conficker because the executable is packed and encrypted. When Conficker runs in memory it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running."

Detector for Conficker DLLs

This is an advanced tool for detecting dll files setup by Conficker:

"Despite other reports, the file names and registry keys Conficker.B and .C use are not random. They are calculated based on the hostname. We have developed a tool that you can run on your system to check for Conficker's Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way."

Scanners and signature files

The Honeynet Project team members also developed a scanner that can distinguish infected machines from clean ones based on unique RPC messages. The team has also created signature files for Conficker.A and Conficker.B:

"Conficker uses a hardcoded xor-key for encoding its shellcode. This creates static patterns, which allow detecting exploitation attempts and may be used to identify infected machines. The signatures we have created are for Conficker.A and .B."

The Honynet Project members should be commended for the amazing amount of work they did in such a short time. Sadly though, these tools aren't for the faint of heart, including me, because:

"All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They don't come with any warranty. All tools are available including source code and are licenses using GPL."

Vendors are hard at work

As far as I know there's no official solution for removing variant C, but I'm not privy to all the latest research by the cartel or antimalware providers. I do know that Honeynet Project members along with security researchers Dan Kaminsky and Rich Mogull are working with vendors to develop a viable solution. Brian Krebs of the Washington Post has a good article titled "Flaws in Conficker Worm May Aid Cleanup Effort" where he describes what Kaminsky and Mogull were able to accomplish.

Because of their findings, signatures will be available for several mainstream network scanning programs, including Nmap, Foundstone Enterprise and Nessus. It's a start, but we have to remember that this is only detection of Conficker.C, not removal.

Caution required

I suspect that all sorts of cures and removal tools are going to be advertised by TPVs. We all have seen it happen before, which is why I'd like to emphasize the need for caution regarding any solution that seems too good to be true. I promise to keep everyone updated as soon as I hear any new developments regarding solutions.

Final thoughts

It's already the first of April in some parts of the world and I haven't heard any reports of major issues surfacing. Maybe the developers forgot to allow for time zones. I do know that there's a significant number of highly intelligent and motivated people working on this. All the rest of us can do is follow the date line and see what happens.

TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

10 comments
Dumphrey
Dumphrey

Brian Krebs is now my RickRoll guru....

cbader
cbader

Nmap scans have come back clean, and the vast majority of my machines are patched. My boss gets a nervous tick whenever I want to update the production servers, but Im working on it.

Jellimonsta
Jellimonsta

from resume} I'm not too worried. :p :D I have performed an NMap scan, and we have other guys checking on potential unpatched systems, but I am not overly concerned on the whole.

Michael Kassner
Michael Kassner

I'm still trying to comprehend what the scan looks for exactly and if Conficker has to be active in order for Nmap to sense it.

Michael Kassner
Michael Kassner

Have you? Besides you are too good to have to worry about dusting anything off except your equipment.