Researchers exploit Conficker flaw to find infected PCs
Three researchers, including Dan Kaminsky, created a scanner to quickly detect worm on networks
March 30, 2009 12:00 PM ETConficker Worm
- Conficker's makers lose big, expert says
- Conficker activation passes quietly, but threat isn't over
- FAQ: Just the facts on Conficker
- Security managers concerned but confident about Conficker on eve of expected attack
- IBM: Conficker.c infects small number in U.S.
- Security software scammers riding on Conficker's coattails
- Researchers exploit Conficker flaw to find infected PCs
- Conficker's next move a mystery to researchers
Computerworld - Just days before the Conficker worm is set to contact its controllers for new instructions, security researchers have discovered a flaw in the worm that makes it much easier for users to detect infected PCs.
Tillmann Werner and Felix Leder, members of the Honeynet Project, an all-volunteer organization that monitors Internet threats, have discovered that Conficker-infected PCs return unusual errors when sent specially crafted remote procedure call (RPC) messages, according to preliminary information they have posted on the Web.
There's a growing urgency in the battle against Conficker as Wednesday approaches. PCs infected with Conficker.c, the third version of the worm, will use a new communication scheme starting April 1 to establish a link to the command-and-control servers operated by the hackers. What's troubling to researchers is that they have no clue as to what orders the worm's makers will give those machines.
Using their discovery, Werner and Leder, along with Dan Kaminsky, the security researcher who last summer uncovered a critical flaw in the Domain Name System software, spent the weekend crafting a scanner that lets users quickly sniff out Windows machines infected with the worm.
"You can literally ask a server if it's infected with Conficker, and it will tell you," Kaminsky said in an entry to his blog today.
The scanner, in turn, has been modified and added to enterprise-grade detection systems from companies such as McAfee, nCircle and Qualys, which plan to release updates today. The free open-source Nmap scanner is also slated to include the new detection capability.
"What Tillmann and Felix found was that Conficker systems react differently to certain RPC parameters," said Wolfgang Kandek, chief technology officer at Qualys Inc. "The difference is very subtle."
Conficker-patched machines answer differently to the special RPC messages because the worm, which exploited a Windows vulnerability that Microsoft Corp. patched last October, uses its own version of the Microsoft patch to effectively close the door behind it. Quashing a bug is a common tactic by malware authors to prevent other criminals from stealing their infected systems.
Conficker
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...


