The clock is ticking down towards Conficker.C's reported April 1 launch date, but an 11th-hour discovery by Team White Hat may substantially improve an IT shop's chance of catching the bug early and stomping on it. The full technical details on the Conficker scanner are being witheld for roughly 24 hours (we'll link the paper when it arrives). If the scanner works as advertised, the security industry will be able to track the spread of Conficker much more effectively than before and neutralize it that much faster.
Security researcher Dan Kaminsky has written a blog post regarding his collaboration with two members of the Honeynet Project, Tillmann Werner and Felix Leder. Kaminsky's words, I think, serve better than my own in this case: "What we’ve found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it’s infected with Conficker, and it will tell you...We figured this out on Friday, and got code put together for Monday. It’s been one heck of a weekend."
What makes the scanner work is a flaw in Conficker's own back-patching mechanism. Once Conficker detects a system where MS08-67 has not been applied, it installs itself and then applies a specialized version of MS08-67 that's meant to make everything look kosher. Underneath the surface, however, Conficker has left itself a window by which it can reestablish contact with the infected system. Tillman and Felix's breakthrough was their discovery that Conficker reacts subtly differently when presented with certain RPC (Remote Procedure Call) conditions. After further testing, it was determined that the Conficker-infected system responded differently from both legitimately patched and unpatched systems.
According to PC World, the new scanner could be a godsend for enterprises who have had an extremely difficult time determining which of their systems are infected and which are not. Conficker's own version of MS08-67 was good enough to fool vulnerability scanners, a fact which made the already-tedious job of verifying that one's network was clean even worse. For some IT administrators, running the Conficker scanner may reveal an entrenched mess where only happy systems blinked a few moments earlier, but so long as the scanner works, IT staff will be able to root out the bug, properly apply MS08-67, and stop scanning server traffic logs with a microscope.
Ars spoke with Tillman Werner regarding the long-term efficacy of the scan system. "It's quite reliable," Werner said. "Conficker-patched machines respond with different error codes. We will publish a paper covering all the details soon. Of course, 100 percent accuracy is nothing we can or want to guarantee, though." Fair enough.
reader comments
16