Tuesday, March 31, 2009

Conficker Scanners Developed for Detection of Infected Network PCs

Both the Department of Homeland Security (DHS) and the non-profit Honeynet Project have developed methods for determining which PCs on a network are infected by Conficker, which makes the work of scanning a system of networked PCs a lot quicker and easier.

The DHS announced that the department's United States Computer Emergency Readiness Team (US-CERT) created the tool, which has been available to federal and state partners via the Government Forum of Incident Response and Security Teams (GFIRST) Portal, and to private sector partners through the IT and Communications sector Information Sharing and Analysis Centers (ISACs). It plans to expand distribution to more partners in the coming days.

Except, DHS, that you only have until April 1st before Conficker tries to "phone home" for more instructions.

Meanwhile, while DHS didn't go into details on how they detect Conficker, Dan Kaminsky, who worked with the Honeynet Project in their research, said the following about its detection methodology (or rather, the flaw in Conficker that allows them to find it):
What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you.
As most malware does, once it infects a PC, the Conficker worm closes the security hole in Windows that it used to get onto the system so no other malware can get in. While this makes it difficult to detect which computers have the official Microsoft patch and which have the fake Conficker patch, Conficker's patch exhibits differences, and that's what the researchers exploit.

Some security software has already incorporated the Honeynet Project's research, including the free and open source Nmap, Qualys, and Tenable.

One question though: if a new version is downloaded to already infected systems that aren't scanned and detected by these measures, will it fix the flaw in the code, thus enabiling Conficker to "hide" more effectively? Ouch.



No comments: