Security Sleuths Work Overtime to Confound Conficker
Mar 30, 2009 12:04 PM PT
Corporate network administrators can breathe a little easier as the world braces itself for what could be a massive Internet attack courtesy of the Conficker worm on April 1. International non-profit research organization The Honeynet Project, which works on Internet security, has come up with a new scanner to detect the worm on networks.
Over the weekend, security vendors worked with the project's Tillmann Werner and Felix Leder, who discovered how to detect Conficker on networks, to create an enterprise-class version of the scanner.
Werner and Leder will disclose the technical details of their findings later. However, some information is available on the personal blog of security researcher Dan Kaminsky, who worked with them on the scanner. Conficker, according to Kaminsky, changes what Windows looks like on the network, and this change can be detected remotely, anonymously and very quickly. An admin can literally ask a server whether it's infected and get a straight answer, according to the researcher.
Some vendors have begun incorporating the code developed over the weekend into their products.
The Who and the Whatnow?
Also known as "Downadup," "Kido" and "Confick," Conficker is a variant of the Win/32d worm first seen last year. Conficker infected millions of computers to create what could be the world's largest botnet, although it seems nobody really can provide an exact number of machines infected.
The worm is programmed to listen for orders on April 1, but beyond that, it's very unclear what exactly Conficker will do -- and that's what is worrying everyone. Vincent Weafer, vice president of Symantec Security Response, told TechNewsWorld that, apart from downloading instructions from servers April 1, Conficker probably will do nothing.
Conficker spread so fast that Microsoft put up a US$250,000 reward worldwide for information leading to the arrest and conviction of the people who launched it on the Internet.
Microsoft also coordinated a group of security vendors, academics and law enforcement agencies to hunt down the creators of the worm. Previously known as the "Conficker Cabal," the group has now changed its name to the more sedate "Conficker Working Group."
Scarier Than Michael Myers
It's not just Conficker's speed that is alarming; the virus continues to mutate, and security experts believe a highly organized, very professional group of cybercriminals with a high degree of technical knowledge is behind the worm.
"What makes this worm insidious is the communications it has used," Mark Parker, senior product manager at antivirus vendor Marshal8e6, told TechNewsWorld. "Before, worms would use IRC (Internet relay chat) or the Web; this one is using encrypted communications."
So far, three variants of the worm have been rolled out: A, B and C. The A variant uses a 512-bit key and an RSA-signed version with a 1,024-bit key; Variant B has a 4,096-bit key. In addition to encryption, Variant C creates an ad hoc peer-to-peer network, which makes it even more difficult to detect and prevent.
On April 1, Variant C is scheduled to contact 50,000 domains and download instructions from 500 of them chosen at random.
Takin' Care of Business
Qualys is among the vendors that worked on the code from the Honeynet Project over the weekend. It will include a remote code scanner that will detect all versions of the Conficker worm. This will be available free Monday.
Others are Tenable, McAfee, Nman, and Ncircle, according to Kaminsky's blog. Microsoft also has put up information on its site, and more information is available on the SANS Internet Storm Center site.
It's easy enough to protect against Conficker. Microsoft put out a patch to protect against it last year and has since put out more patches to protect against the new variants. All the major antivirus vendors protect fairly well against the worm.
"There's a ton of hype around Conficker, but if you've done what you need to do to protect your network, you're safe," Randy Abrams, director of technical education at security vendor Eset, told TechNewsWorld. "Just focusing on Conficker is like driving to avoid being hit only by Volkswagen Beetles; if you don't pay attention to the other traffic, you're in trouble."