back to article Busted! Conficker's tell-tale heart uncovered

Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines that is easy to detect using a variety of off-the-shelf network scanners. The finding means that, for the first time, administrators around the world have …

COMMENTS

This topic is closed for new posts.
  1. Dan Kaminsky
    Flame

    Just a quick note

    Heh, this is Dan Kaminsky, from the story. Just to make something very clear:

    Tillmann Werner and Felix Leder are the Honeynet Project researchers who actually noticed the behavioral shift introduced by Conficker. I've been doing work in fingerprinting lately, so I saw the opportunity to make it quite a bit easier to track down infected nodes in large organizations, but again, it was Tillmann and Felix who actually designed the fingerprinting logic that ultimately all these other organizations are integrating into their vulnerability scanning systems.

    This is one small part of what's actually some very fine research about Conficker. This is their baby, I've just been helping it fly.

  2. Jon

    Arpil fools

    At least we now know one thing it will do April 1st. Fix this fingerprint. Unless thats what security experts want and this is just a fools joke on the botnet owner to get them to do something expected on April 1.

  3. The BigYin
    Boffin

    Good

    Does this mean ISPs will now be able to scan for customer's infected PCs and block them from their networks?

    The (L)users who did not pay attention to their security should face be made to realise that they have a responsibility to themselves and other internet users to secure their systems. Either that or swap to an OS that isn't riddled with security holes.

  4. Anonymous Coward
    Unhappy

    Scanner instructions?

    All jolly fine for security researchers, but what are Microsoft Windows people supposed to do with a couple of Python files and a text file containing a few IP addresses (and no CR/LFs)?

  5. Anonymous Scotsman

    I for one

    would like to buy these researchers a round of drinks.

  6. Anonymous Coward
    Anonymous Coward

    Well Done White Hats

    Just in time and now the race is on for admins to secure before the 'event'

    Pity we have to spend time and money on all this

  7. Conrad Longmore
    Unhappy

    Ummmm

    Ummmm.. very clever. Now make a tool that admins can actually use.

    I'm just gonna have to learn Python in the next few hours I guess.

  8. Outcast
    Linux

    Kudos to the White Hats

    You just prevented a mass exodus away from Redmond

    Wait.......... !!

  9. Anonymous John
    Paris Hilton

    "We have no idea what Conficker is going to do on April 1,"

    Um. Why can't they infect a PC, and change the system clock?

  10. Anonymous Coward
    Anonymous Coward

    @Dan

    Babies do not so much fly as plummet.

    But I'm just being pedantic. Genuinely, thanks to you and your team for all the good work so far on this one.

  11. Anonymous Coward
    Stop

    too late

    So let's see, millions of home PCs infected with conficker that have windows update and antivirus disabled by it.

    They're not going to be disinfected within 2 days are they?

  12. Anonymous Coward
    Anonymous Coward

    Re: Scanner instructions

    Well I'm a Python newb as well so this is what I did:

    1. Download and install Python for Windows: http://www.python.org/download/windows/

    2. Download and unpack Impacket to a folder: http://oss.coresecurity.com/repo/Impacket-stable.zip

    3. Install Impacket by opening a dos prompt on the folder and doing "python setup.py install"

    4. Open a dos prompt on the scanner directory and type "python scs.py <start-IP> <end-IP>" and watch it go.

    My network was clean but it took a while to scan an entire class c

  13. The Harbinger
    Stop

    What about firewalls?

    It's all well and good but if the machine is closed on port 445 then it's not gonna find a thing.

  14. Anonymous Coward
    Paris Hilton

    Realy....

    Please get rid of the penguin and "good Jobs" logos. Then perhaps we would get less posters thinking obscurity = security.

    PH, because some people have as much of an idea as her.

  15. Anonymous Coward
    Flame

    @all you ACs

    Hah, come on, how hard is it to install python on your windows box?

    http://www.python.org/download/windows/

  16. Anonymous Coward
    Flame

    Que?

    Can someone explain why your antivirus software wouldn't pick up which machine have Conflicker? Most entreprise a/v products already report back to a central server on your LAN anyway.

    This reads like another of Dan Goodin's bi-weekly "My mate Dan Kaminsky told me he did this ..." stories.

    Do we not get a quote from Graham from Sophos too?

  17. Anonymous Coward
    Flame

    @Anonymous John (11:45)

    Because all that would tell them is that it's going to contact a server and await instructions, which believe it or not the clever people already know.

    It's the content of those instructions which isn't known, and won't be known until they're issued, which won't be until the deadline.

    It's like saying "I wonder what the weather will be like in two months time... I'll just wind my PC clock forwards and look at the weather reports for 'today'" - it just doesn't work.

  18. Anonymous Coward
    Anonymous Coward

    @anonymous John

    changing the system clock will only make the malware contact the controlling servers. If the malware writers have not issued any commands then nothing will happen. I would think that they will be issuing commands on 1st of April.

    A secure OS..... no such thing...... Open source has and still has security issues......

  19. Anonymous Coward
    Anonymous Coward

    Re: Scanner instructions?

    Make that a couple of Python files that don't even compile...

  20. Geoff Mackenzie

    @AC, Re: Realy (sic)

    Please, can we stop using this stupid argument now? Linux's superior security record is not down to obscurity. It is the majority webserver platform after all.

    It comes down to massive, continuous source code peer review and good kernel design. Windows NT lacks both and unless they open source it (and wait a couple of years for the massive refactoring effort that would follow) the writing's on the wall for this decrepit VMS clone.

  21. Ash
    Thumb Up

    @Scanner Instructions (additional)

    Run "Path=c:\python26" from command line, then follow commands above to resolve an error about Impacket directory not existing when running python.exe from the \python26 directory and referencing the full path where Impacket was extracted.

  22. Chronos

    Re: Scanner instructions?

    Caveat: I am not involved with this and have only just tried this myself.

    Prerequisites: Python, py-pcapy and py-Impacket (that's *i*mpacket, it's capitalised and the font used here doesn't really make that clear). Runs fine here with python 2.5.4, py-pcapy 0.83.0_1 and py-Impacket 0.9.6.0 (FreeBSD 7-STABLE).

    Run "python ./scs.py <start-ip> <end-ip>" or use the filename of a file that contains a list of IPs you require scanning as an argument in place of start and end IPs; the example supplied is Unix format, hence lack of CRs in notepad.

    If you're using Windows, be aware that the Windows MSI Python package is compiled with VS 7.1 and the extensions you need to build (py-pcapy, py-Impacket) also need access to that compiler, so will require much buggering about with bits and pieces of visual studio if you don't have a copy. You'll also need WinPcap. You're well advised to use a *nix box to run this.

    Example output when pointed at a lappy with the server service enabled:

    ----------------------------------

    Simple Conficker Scanner

    ----------------------------------

    scans selected network ranges for

    conficker infections

    ----------------------------------

    Felix Leder, Tillmann Werner 2009

    {leder, werner}@cs.uni-bonn.de

    ----------------------------------

    192.168.2.31 seems to be clean.

    HUGE thanks to the authors. We've needed something like this since Conficker/Downadup reared its ugly head.

  23. Robbie
    Joke

    awww shucks they found it!!

    well, back to the drawing board I guess.

  24. Stephen Jones
    Boffin

    Changing the clock

    Confliker is much better at this game than you guys. It checks a whole bunch of websites to confirm the time, it doesn't rely on the system clock. As for AV detection, it disables AV.

  25. Andus McCoatover
    Dead Vulture

    Look for headless bodies..

    ..with USB sticks, hung from their own petard, floating down the Moskva River on Wednesday. Aprillia!! (April Fool) Or, Апрель Идиот - more appropriate.

    Cunch of Bunts. Give the b'stards some Vogon poetry to write. Death's too good for them.

    Tombstone, natch

  26. Anonymous Coward
    Stop

    Re: Re Scanner instructions?

    @AC:

    " Make that a couple of Python files that don't even compile... "

    That would be because Python is a scripting language and is interpreted at run-time, no?

  27. Jason Bloomberg
    Unhappy

    36 Hours to Disaster, and we're still Dancing on Deck

    So where's the one-click .EXE file for Windows users to at least tell them they have a problem or not, even if it doesn't remove the contamination itself ?

    It's all well and good saying "It's not hard to download Python", but I'm sure it's equally, "Not hard to have effective security in place to stop such infections", but let's not forget it isn't just corporates having problems who (hopefully) employ competant sysadmins ... so let's put that nonsense to one side and get on with dealing with the problem before the clock runs out.

    I llooked at the nmap site but couldn't see anything in the changelog which says what version I should be using, I don't care which paid for softwre will include detection, I want something I can download, run and breath a sigh of relief orknow which WAN cables to take the scissors to.

    Full marks for the industry "responding", but so far it seems to be near zero marks in providing tools your average user can actually use ...

    Unless someone knows differently ?

  28. Anonymous Coward
    Joke

    re @Anonymous John (11:45)

    works on my machine.

  29. Anonymous Coward
    Anonymous Coward

    nmap script

    Does anyone know how the conflicker scanning functionality will be available on nmap? nse script or new nmap release?

    Any links to it?

  30. Anonymous Coward
    Gates Horns

    One click exe for Window users?

    It's been here for ages: http://www.bdtools.net/

  31. Anonymous Coward
    Unhappy

    A/V

    How shit is an A/v product if a network distributed virus can disable it?

  32. Anonymous Coward
    Stop

    @Anonymous Coward

    Conficker doesn't rely on just the system clock. It gets updates from main stream websites as well for the time and date

  33. Anonymous Coward
    Anonymous Coward

    Hello Conflicker version 3.0

    Im looking at these russian coders who dont want to loose all these bots. Rewriting a few routines. And releasing the updates

    BBing bang bosh. Square one

  34. Pie

    Re: Scanner instructions?

    @AC:

    " Make that a couple of Python files that don't even compile... "

    you need to use python 2.6 not 3.

    Oh and the instructions were missing download http://iv.cs.uni-bonn.de/uploads/media/scs.zip !

  35. Anonymous Coward
    Anonymous Coward

    Re: Re Scanner instructions?

    "That would be because Python is a scripting language and is interpreted at run-time, no?"

    No. Python compiles down to byte code.

  36. Anonymous Coward
    Paris Hilton

    I feel dirty for commenting for support

    but i get an error and I'd quite like to get this running.

    c:\python30\python.exe scs.py 10.226.40.40 10.226.40.254

    gives invalid syntax error.

    would one of the python genii on here mind telling a noob what they're doing wrong?

    cheers

    PH cos i have as much idea about Python as her.

  37. Frumious Bandersnatch

    @AC 12:17

    > Make that a couple of Python files that don't even compile...

    Might that have something to do with Python being an interpreted language?

  38. Dr. Vesselin Bontchev
    Boffin

    Russian?

    There is no evidence that the authors of the worm are Russian. There is *some* evidence that they *might* be Ukrainian - but it's pretty slim; I wouldn't rely on it. Basically, we don't know who these guys are. But - patience. We'll find out.

  39. Pie

    re: I feel dirty for commenting for support

    try using python 2.6 rather than 3

  40. Greg Adams

    @AC 13:37

    You have to use Python 2.6 instead of 3.0. 3.0 has some issues that don't quite make it backwards compatible with 2.x.

  41. Richard
    Unhappy

    Damn...

    I was so looking forward to Wednesday

  42. 4irw4y
    Pirate

    Are G20' techs the First Clients?

    Hey what's the agenda for the Fools Day in your city?

  43. Anonymous Coward
    Anonymous Coward

    Mr. Kaminsky, please take your seat

    I believe his 15 minutes of fame are over. Now all he's doing is playing up sound bites whenever any "news" writer needs one from an expert.

    Yes kudos on the whole DNS thing. Please sit down and let someone else get a chance to speak.

  44. Pierre
    Dead Vulture

    Hehehe 2 days before DOOM!

    Or, most probably, 2 days before the next Conficker C insignificant update. The other variants (e.g. the B variant, you know, the most widespread one) call home constantly already, and we're not dead yet.

    ""We have no idea what Conficker is going to do on April 1," Kaminsky said."

    Well Mr Kaminsky might not know, but I think I have a pretty good idea. Nothing is gonna happen. Nothing noticeable at least.

    El Reg is beginning to look a lot like the Daily Mail.

  45. Neil Hoskins
    Joke

    @Dan

    So what's Alison Krauss *really* like?

  46. Lionel Baden

    @big Yin

    Rather than block them from their networks they could just redirect them to a fix page.

    But then again do the ISP's really want to take resposibiltiy of the traffic on their networks? i dont think so and i dont want it so

  47. Anonymous Coward
    Unhappy

    doh!

    Just found 9 machines on a network I partly look after. I'm guessing there are probably lots more that are either turned off or still have working firewalls.

    Many thanks to the authors!

  48. This post has been deleted by a moderator

  49. stuart Thompson

    (untitled)

    I just wanted to mention that for those people who use it, OpenDNS has been blocking the Confiker call home address' for weeks, they will also show in your dashboard if any machines have been attempting to call home.

  50. Anonymous Coward
    Stop

    query

    No resp.: ***.***.***.***.445/tcp.

    Is what I get on 98% of my machines that I scanned, is this correct or am I doing something wrong?

    "...seems to be clean."

    Is what I'm getting on a few of them, but not many...

    What message do you get if it finds an infection?

  51. Chronos
    Thumb Up

    Re: query

    If you have the server service disabled on the machine you're scanning, the No resp. is what you'll get because port 445 is closed. Conficker uses SMB and it's this that the tool is querying. IPs with no active machine on them will also show No resp.

    The code tells you what you'd get if you were infected:

    if result[1]==0x5c450000 and result[3]==0x00000057:

    print '[WARNING] %s seems to be infected by Conficker!' % ip

    retval = 1

    If you've turned off the server service on your boxen, congratulations, there's really no reason for client machines to use it. If you've turned off the server service, disabled autorun AND threatened your lusers with death if anything, anything at all connecting via USB or IEEE 1394 is found near the machines, you're *almost* immune from Conficker. If you've filled with Araldite the USB and IEEE 1394 ports on the client machines, removed all the DVD-RW drives and floppies, disabled the server service, riveted the cases shut and have a modified electric fence pulser on a stick to hand for lusers that never learn, GTFO, you're me ;o)

  52. Nyle Landas
    Linux

    Can someone point us to the NMAP signatures?

    Ok, it's 1:12PM EST - Can anyone let us know where the NMAP signatures are going to be released? As someone else posted will they be -

    " Does anyone know how the conflicker scanning functionality will be available on nmap? nse script or new nmap release? Any links to it?"

    Please advise - I've run the Python script, although it did give a Not all options will be available - missing Crypto modules or something like that. It did it both on Windows and Linux. I'm new to Python, what Crypto modules are we talking about?

  53. Dan Goodin (Written by Reg staff)

    @Can someone point us to the NMAP signatures?

    Folks,

    Nmap creator Gordon Lyon, aka Fyodor, just emailed me to say he expects the Conficker update to be available within the next hour or so. For those who can't wait and don't mind mucking about with manual commands, the code is available at:

    http://www.skullsecurity.org/blog/?p=209

    Fyodor plans to announce availability of the patch at:

    http://seclists.org/nmap-dev/2009/q1/index.html

    Cheers,

    Dan Goodin

  54. ThinkingOutLoud
    Paris Hilton

    Suspicion

    Is anyone wondering whether the discovery of a fix on the eve of activation is a little suspicious? Can't quite articulate why I do but something's rattling in the back of my mind. (Perhaps some of my loose marbles.)

    I'm still waiting for evidence the AV industry is funding some of the "bad guys"...

    Paris because she'll get infected sooner or later. (Black helicopters are more appropriate but rather dull. Oh, wait...)

  55. Dan Kaminsky

    nmap

    www.doxpara.com has instructions for nmap as well.

  56. Nick Mallard

    It's not THAT intelligent

    Yeah, I admire how well it's done and all that. But it's not that intelligent is it?

    It stops AV packages from installing, running and updating.

    Change the name of the package and watch it fly. ren norton.exe fluffypants.exe and it'll run just fine. Wont update, granted, but it's still a lapse in the intelligence there :)

  57. Anonymous Coward
    Anonymous Coward

    No resp.: xxxmachinexxx:445/tcp.

    Hello All,

    I have the same errors seen by Anonymous Coward using the Simple conficker Scanner --

    No resp.: xxxmachinexxx:445/tcp.

    When I use the NMAP, I get this --

    Host script results:

    | smb-check-vulns:

    | MS08-067: NOT RUN

    | Connficker: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND

    |_ regsvc DoS: NOT RUN (add --script-args=unsafe=1 to run)

    Final times for host: srtt: 0 rttvar: 5000 to: 100000

    Per Chronos's explanation, that may mean my server service is not running. However, the server service is on, and the "netstat -na" show the machine listening on port 445.

    Any suggestion on what another explanation of what the errors may mean?

    Thanks,

    local_vi

  58. yossarianuk
    Linux

    re : Nyle Landas - Crypto modules

    I was getting that message also.

    On opensuse I just installed the python-crypto package I now no longer get the message.

  59. Nyle Landas
    Linux

    BETA 5 now available.

    NMAP BETA 5 now includes conficker detection. Download it now. Thanks Ron.

  60. Chronos

    Re: No resp.: xxxmachinexxx:445/tcp.

    I misspoke, sorry for the confusion. The port is still open, but not accepting inbound connections was what I meant. The port is still used by the workstation service and you're quite right that it is listening on all interfaces both TCP and UDP.

    With Server enabled:

    192.168.2.31 seems to be clean.

    Done

    With Server disabled:

    No resp.: 192.168.2.31:445/tcp.

    Done

    I can repeat this ad-nauseum. Could it possibly be something simple such as the Windows Firewall (on the client) getting into the mix?

  61. Anonymous Coward
    Anonymous Coward

    Install python on Windows? Why not install Visual Studion on Linux?

    Instead of asking all windows users/admins to install ported linux apps and libs like python/perl/py-randomscriptnamethatdoeswhatkaminskydoesntknowhowtodohimself.py Kaminsky should learn a real programming language like C/C++/Delphi/VB/etc. I know it's hard but he won't regret it.

  62. Rob Crawford

    @AC 23:49

    Sorry ! you used the phrase real programming language and VB in the same posting, you really should stop being so silly !

    Python (& other UNIX originated) scripting languages get the job done with the minimum of

    fuss, if you have the language (shell) installed it works. Unlike the joys of recompiling for every platform, processor (there are other archetectures other than Intel) and even OS revisions as the average C programmer has to suffer.

    Personally I don't think it's too much to ask a windows admin to be able install Python and run a couple of scripts. Though to be honest I would expect most admins to access to a UN*X or Linux machine these days.

    I'm not a linux or un*x snob / fanboi BTW but I don't believe in putting all my eggs in one basket.

    The windows mindset is why several companys I worked for used UNIX systems in the 1st place. It prevented somebody with a machine at home thinking that they had the capability ot fix a server issues.

    PS.

    Yeah I know theres shed loads of really piss poor UNIX admins (you know who you are).

    PPS

    Yeah I have been known to even lower myself to use WSH on windows when I want to automate something (eg when iTunes destroys my library yet again)

  63. Anonymous Coward
    Gates Halo

    @ Why not install Visual Studion on Linux?

    You mean just like Gugle and all those other internet companies have?

    VB rules the world! Well, the LSE runs on it I hear.

  64. Mark
    Go

    Re: No resp.: xxxmachinexxx:445/tcp

    @chronos - looks like you have a firewall turned on somewhere. This is a good thing.

  65. yossarianuk
    Linux

    re:Install python on Windows? Re : Why not install Visual Studion on Linux?

    Why don't you grow up and start using a grown up's system instead.

  66. Chronos

    @Mark

    Not me, Mark, I can get all of my Win clients to give either result depending on the state of the Server service, which was disabled by default here long, long before MS08-067 was discovered - any file-sharing needed goes over the central shares, not from individual machines. I was replying to the AC above who can get nothing but No resp. results. I thought it may be a firewall myself, but I'm not assuming anything because a) (s)he's posting on the Reg so (s)he's not likely to overlook such obvious issues and b) I don't fully understand the conversation the scanner is having with SMB and I haven't had time this morning to fully analyse it as an ET update buggered up the emerging.rules (line 116 if anyone's interested) and my snort inline fell over, cutting everyone off the IPv4 web. Cron jobs... :o(

    Interestingly, if you point this scanner at a Samba server running with everything enabled, you get the same No resp. result.

  67. Tom
    Joke

    @Neil

    He's Dead.

    Yes Neil, I thought that was a great clip too. Atherton plays the pompous ass so well!

  68. Sillyfellow
    Thumb Up

    big thanks

    to the authors of this tool, el-reg for pointing us at it, and the commentards who helped me to get it to work.

    nice one folks. thumbs up ! :?)

  69. P. Lee
    Linux

    @AC @12:01

    > Please get rid of the penguin and "good Jobs" logos. Then perhaps we would get less posters thinking obscurity = security.

    *sigh* There is world of difference between running an obscure system and hoping an obscure security problem on a popular system isn't found.

    An obscure problem on a popular OS is a large target for malware writers. A large problem on an obscure OS is a very small target because exploits are *not* random events, worms and viruses are written for windows and not OSX/Linux for the same reason that games are written for windows and not *nix - the effort doesn't justify the ROI.

    Regardless of the security situation, running *nix hosts reduces your *risk* of being affected by malware, which is a much larger problem than being targeted individually by a skilled hacker.

    The security problem is not solved by everyone running *nix - that just moves the malware-writers' focus, but individuals *can* reduce their risk (relative to the average Windows user) by switching to a *nix based OS which doesn't have a huge target painted on it.

    I'll be interested to see if much happens after 1st April. If its bad, Apple will have a large number of smug users doing PR.

  70. Anonymous Coward
    Anonymous Coward

    @The BigYin

    Does being a pompous asshole come naturally to you, or did you learn it from the other pompous assholes?

  71. Dr. E. Amweaver

    @Norman Andrews:

    ...you are Michael Jackson and I claim my £5.

    @Dan & co: second round of drinks are on me.

  72. Anonymous Coward
    Anonymous Coward

    How fascinating

    That a guy from IOActive comes out two days prior to the "worm's attack" to claim that with a "last ditch effort" we avoided catastrophe.

    Could it possibly be that there was no catastrophe in the future and that the AV companies simply used Conficker to scare up support and sales? On Wednesday, those who were claiming Conficker was going to be a disaster are going to need an explanation as to why nothing happend, and I promise you that this lame ass excuse is thrown out there. And of course, the press will eat it up rather than ask the question "Was there any real danger, ever?".

  73. local vi

    Re: No resp.: xxxmachinexxx:445/tcp.

    Hi Chronos,

    The scans are done against systems with windows firewall turned off.

    Thanks,

    local vi

  74. Matthew Wood
    Thumb Up

    thanks for the scanner

    thanks much to the guys for banging this together! The one thing it needs: a ping test first and then discard further testing of that address if there is no response. I've seen that if you hit an IP that isn't returning port-unr or simply isn't on the network...the scanner seems to sit forever trying the SMB port.

  75. Neil Greatorex
    Happy

    @By David Wiernicki

    Assholes = tinny word, horribly tinny word.

    Arseholes = woody, "Arseholes"; lovely woody word.

  76. Ash Chapman
    IT Angle

    me = n00b

    Alright, I'm not the systems or network admin but instead just a help desk guy. I got all of the tools installed and, thanks to this thread, got the scanner working. In order to actually have a functional scan, you need firewalls dropped and port 445 opened?

    Ultimately our systems admin didn't want to run it because he didn't want to drop the firewall temporarily.

    *puts hands up to rid himself of responsibility* I'm just a cog in the machine.

  77. Anonymous Coward
    Stop

    @ me = noob

    obviously dropping the firewalls on all the machines wouldn't be a great idea... if one machine actually was infected it would spread to all the others. This is only for catching the most obvious gross offenders.

    Still it's 0:15 GMT 1st of April and the machines haven't taken over yet...

    wait! what was than noise???

    Something strange is coming out of my adsl modem!

    AAAAAAAAArrrrrrrrrrrrrrrrrrrg

  78. Anonymous Coward
    Stop

    @thebigyin

    "Does this mean ISPs will now be able to scan for customer's infected PCs and block them from their networks?"

    Not really - the ISPs will get as far as your router with their scan and no further. Remember the majority of folks are on broadband these days, complete with broadband router with a little thing called NAT at the front.

    Unless there's an outbreak of routers infected with Conflicker, I don't think the ISPs can do much about this. Not to mention that even though it would be done with good intentions, it's still against the Computer Misuse Act.

    Mind you, why leave it up to the ISPs? Feel free to run python scs.py 1.1.1.1 255.255.255.255 and let us know how you get on saving the world

  79. Chronos

    Re: No resp.: xxxmachinexxx:445/tcp.

    Hi local vi, I didn't think you'd overlook that. I'm not getting any new ideas right now, although a bit more information might help someone a bit brighter come up with a suggestion. OS version? Members of a AD domain? Group policies? File and printer sharing state on the clients (I *think* this is independent of the Server service state but I haven't checked)? Any of these may affect the results.

    One thing you may want to try is remote management via the computer management tool; if that fails, either remote registry or file and printer sharing is restricted somehow. Remote registry shouldn't make a difference to the scanner, but remote management requires both services IIRC. Also check any firewall on the machine that you're running the scanner on. *nix firewalls tend to egress filter as well as ingress by default.

    I don't think you need telling but [I'm going to go into annoying arsehole mode and say it anyway -Ed] these settings would be better returned to the restricted state once you've found out why the scanner is having a hard time talking over SMB. Where there's one piece of malware with this distribution method, there's bound to be copycats. All of the discussed restrictions contribute to stopping such things. Only run what you need for day-to-day operations and disable the chaff, thereby reducing your potential entry vector surface. That's how OpenBSD got its reputation rather than by any super-secret methods that other OSen couldn't copy if pushed. There's nowt special about it other than the default settings overriding the quality, or lack thereof, of the admin ;o)

    It is now 10:30-ish AM and cyberspace as we know it hasn't come crashing down around our ears, I haven't seen a significant rise in detected spam (if anything, e-mail volume is lower than yesterday's figures), I'm not being DDoS'd and my web server doesn't seem to be getting hit by Dfind, Morfeus F-ing scanner and such crap any more than usual. Some will see that as proof that the foregoing security efforts and discussions were hype. I see it as the security experts, the Conficker Cabal, reporters making people aware and the people who worked on the various detection mechanisms having succeeded with the prevention efforts. Well done, if it's not too early to be handing out the kudos.

  80. Anonymous Coward
    Alert

    removal tool from bitdefender worked for me.

    I cleaned my PC with a tool from bitdefender, you can find it at bdtools.net . They have 2 versions, one for single pc and one for network admins.

  81. Anonymous Coward
    Anonymous Coward

    Have i missed something?

    Have I missed something, or can you only get infected by Conflicker if you haven't installed the Microsoft patch which mitigates it? ie, the one which came out last October - http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    If I've not missed something, Snort has had signatures to detect which machines don't have this installed for months now.

    What extra value does this new tool ad?

  82. This post has been deleted by a moderator

  83. Jason Bloomberg
    Thumb Up

    @ Matthew / One-Click Exe

    It's been here for ages: http://www.bdtools.net/

    Belated, but many thanks for the link.

This topic is closed for new posts.

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022