RSSFound: An Achilles heel for Conficker
By Angela Gunn | Published March 30, 2009, 4:39 PM
A few of the folks scrutinizing Conficker realized something mighty interesting on Friday: The malware not only changes what Windows looks like on the network, if you ask a server whether it's got a case of the Conficker, it will tell you -- remotely and without authentication, even. One insanely hectic weekend later, there are multiple brand-new enterprise-class scanners available for netadmins' network-protection needs.
So far on Monday, versions are being integrated into scanners from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle and Qualys. There's also a proof-of-concept tool available as well. The charge was led by the Honeynet Project's Tillman Werner and Felix Leder and moved along by Dan Kaminsky at Doxpara, along with Securosis' Rich Mogull, and the Conficker Cabal Working Group.
Take a closer look at that list. Again, the focus is on scanners, not anti-malware or patches.
"Your chance to patch was in October," notes Wolfgang Kandek, CTO of Qualys. With the discovery of the new detection method, he says, "scanning is interesting again" as a means of preventing further infection," as opposed to battling infections once they're in place.
The Qualys exec says he's "really in favor of preventive measures" such as scanning for quelling potentially massive infections, such as Conficker has proven to be. "It's bad that we have to rely on anti-virus and anti-malware [solutions] to fix these infection." The new scan requires no authentication and can be run remotely; as long as the target server hasn't firewalled off ports 139 or 445, or as long as the scanner has privileged access, the change Conficker makes reveals itself.
Kandek, like many security experts closely engaged with current anti-Conficker efforts, isn't actually too worried about Wednesday, when the malware begins using a new algorithm to get its marching orders. The people behind Conficker, he notes, have been extraordinarily careful and competent in their management of the malware, and "I don't see them making the beginner's mistake of letting an update bring down the network."
That's good, because Qualys sees a lot of unpatched machines out there -- as of about two months ago, 30% of all Windows machines. Say what? -- or, more appropriately, say who? "We derive our numbers from enterprise customers and SMB," says Kandek, "but in areas where non-licensed machines are in use the ratio of unpatched machines must significantly higher due to the difficulty of getting and installing patches and the fear of detection."
So a patch from MS was released in October? Is that what this is saying?? Was this part of Windows Update?
Score: 0
|Well, a patch for the vuln was indeed released in October; that's old news. (It was part of MS08-67 and, yes, released as a critical-level Windows Update patch.) This is, as mentioned, a new discovery concerning Conficker itself; if it were a poker player you'd describe this as its "get," the little twitch that gives it away. This discovery means that Conficker defense now expands, as mentioned, to scanning -- even, in many cases, remote case with no authentication needed.
(Example: Say you're running a Windows server, and I'm interested in knowing if your machine's infected and thus likely to be a problem. Based on what we now know, I don't have to wait for you to check your patches, or for your machine to start running amok; I can fire up nessus and query your system myself.)
Score: 0
|Yes, it was, bulletin MS08-067 included the patch in October, released trough WU.
But (there is allways a but), there are many users who disabled windows automatic updates because privacy concerns, not passing windows genuine authentication (pirated windows) or just negligence.
Still, I think that this virus producers are too smart to be just a couple of bad boys, there is something darker out there... Big corporations were alerted last year about this patch.
There are thousand of patches involving Windows vulnerabilities, but THIS one was the selected by the virus developers and MS alerted about this one to its partners... I do not believe in coincidences.
Score: 0
|yes, MS squashed this potential exploit many months ago via windows update
Score: 0
|Yes they did. Which has to make that 30% stat in the last paragraph a serious chomp in the shorts for their patch writers and security folk. I'm not defending the existence of the hole -- anyone here as tired as I am of buffer overruns? -- but they did hustle a patch out. It was even off-schedule, if you remember; not a Patch Tuesday item but an actual level-critical patch. They took it seriously, in other words, and it's got to be just maddening that so many users have not availed themselves of the repair.
Score: 0
|