Researchers exploit Conficker flaw to find infected PCs
- 31 March, 2009 08:55
- Comments
Just days before the Conficker worm is set to contact its controllers for new instructions, security researchers have discovered a flaw in the worm that makes it much easier for users to detect infected PCs.
Tillmann Werner and Felix Leder, members of the Honeynet Project, an all-volunteer organization that monitors Internet threats, have discovered that Conficker-infected PCs return unusual errors when sent specially crafted Remote Procedure Call (RPC) messages, according to preliminary information they have posted on the Web.
There's a growing urgency in the battle against Conficker as Wednesday approaches. PCs infected with Conficker.c, the third version of the worm, will use a new communication scheme starting April 1 to establish a link to the command-and-control servers operated by the hackers. What's troubling to researchers is that they have no clue about what orders the worm's makers will give those machines.
Using their discovery, Werner and Leder, along with Dan Kaminsky, the security researcher who last summer uncovered a critical flaw in the Domain Name System (DNS) software, spent the weekend crafting a scanner that lets users quickly sniff out Windows machines infected with the worm.
"You can literally ask a server if it's infected with Conficker, and it will tell you," Kaminsky said in an entry to his blog Monday.
The scanner, in turn, has been modified and added to enterprise-grade detection systems from companies such as McAfee Inc., nCircle Inc. and Qualys Inc., which plan to release updates today. The free open-source Nmap scanner is also slated to include the new detection capability.
"What Tillmann and Felix found was that Conficker systems react differently to certain RPC parameters," said Wolfgang Kandek, chief technology officer at Qualys. "The difference is very subtle."
Conficker-patched machines answer differently to the special RPC messages because the worm, which exploited a Windows vulnerability that Microsoft Corp. patched last October, uses its own version of the Microsoft patch to effectively close the door behind it. Quashing a bug is a common tactic by malware authors to prevent other criminals from stealing their infected systems.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- Informatik IV: Containing Conficker
- Conficker's next move a mystery to researchers
- FAQ: The DNS bug and you
- Taming Conficker, The Easy Way : DoxPara Research
- Nmap - Free Security Scanner For Network Exploration & Security Audits.
- Microsoft warns of new Windows attacks
- Microsoft, Symantec, VeriSign join forces to fight Downadup worm
- Papers : The Honeynet Project
-
Business Continuity: A Guide to Choosing the Right Technology Solution
-
The Pathways ICT Leadership Development Program | Turning today’s ICT professionals into tomorrow’s business leaders
-
Overtaken by Events? The Quest for Operational Responsiveness | A Survey of Global Energy, Telecoms, and Logistics Businesses
-
Embedded System Design
-
Learning to Program with Visual Basic.NET
-
Learning Autodesk Maya 2009 Foundation
-
Excel 2003 VBA Programmer's Reference
-
Dreamweaver MX E-learning Toolkit
-
Professional Css
-
Mastering Windows Server 2008 Small Business Server
-
Mastering Excel
-
Windows Vista All-In-One Desk Reference for Dummies
Comments
Post new comment