Conficker. When the media echoed all neglecting the problem of substance

The worm conficker isn't malicious code (worms) than many others that have existed and that continue to occur, and that exist today, but soon took care of all the media of information worldwide even many of them, grazing in a very thin line that divides the seriousness of addressing an issue as troubling as they are infections, and the yellow of the event, playing with that "if you are on everyone's lips sell, let conficker talking about. "

And nearly six months of existence, it's true! :-), is on everyone's lips with that of the "surprise" that has prepared for today, April 1.

While it's true that in a short time conficker achieving a high rate of infection worldwide, and worrying at the local level, it's also true that simply reflected the lack of maturity on the security management.

Many major companies have suffered the consequences, through conficker, not to meet the security in its just measure, while many others, as I said in another blog, not even felt the touch of instructions malicious code conficker. Why?

Perhaps a wise direction to get the consistent response to this question so trivial pass close by the ISMS (System Management Information Security). That is, if we want "quality" in security, "need" to rely on a systematic process such as that offered by the ISO 27001.

But without deviating too much, or go deep in the management of safety, I will only say that many of the problems caused conficker can be (and were) avoided simply by maintaining a proper management of the security updates on Windows platforms.

The reality is that conficker, any malicious code, is a potential danger to any information environment as a result many are suffering huge headaches for "cause" of the worm. So, how we attack the problem?

It isn't my intention to cover the actions of propagation vectors, etc., conficker of the network as much information, such as the excellent paper called Containing Conficker which is part of the Know Your Enemy series produced by the people of The Honeynet Project, or by writing Cert.at called Detecting Conficker in your Network.

But I would like to provide some tools with which we deal with the worm, since in most cases, not all AV companies offer a complete elimination of the threat, however, most have a free cleanup tool we can use.

• Symantec
• ESET
• Kaspersky
• F-Secure
• McAfee
• Microsoft
• Sophos
• TrendMicro
• BitDefender
• AhnLab

Similarly, people from The Honeynet Project has released a PoC consisting of product research tools that have taken place on this issue.

• Downatool2. Domain names of the different variants of conficker can be used to detect infected machines within a network.
• Domains collision conficker C. Unlike the first and second generation variants conficker (conficker.A and .B) domains created by 250 days to download the updates, it's expected that the third generation, has more than 50,000 domains. This is a list of domains that are expected during april conficker download.
• Disinfection of memory. Identify conficker becomes complicated due to the packing and encryption features, except when it's in memory.
• Detection of files and registry modifications. Apparently, the file names and the names of the keys in the registry to create the variants B and C conficker aren't random, but are based on the name of each host infected. By contrast, variant A if you take names at random.
• Simple Conficker Scanner (SCS). Network scanner to detect conficker. Requires the installation of the library "Impacket" python.
• IDS. Depending on the patterns used by different generations of conficker it's possible to detect its presence through rules.

Conficker A

alert tcp any any -> $HOME_NET 445 (msg:
"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
eb|"; sid: 2000001; rev: 1;)

Conficker B

alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1;)

• Nonficker Vaxination Tool. Conficker uses mutex to ensure that your computer is infected its latest version. This method can be used to prevent potential infections mimicking a raised through a dll.

Even we have a new version of nmap (4.85Beta5) which incorporates the detection routines conficker available for different platforms: Windows, OSX, Linux.

It's also advisable, since it isn't over, take short audits with the aim of verifying the level of security vulnerability in our environment. We can use, for example, tools like MBSA from Microsoft or CSI/PSI of Secunia.

Finally, don't forget to install the updates that fix critical security vulnerabilities exploited by conficker: MS08-067, MS08-068 and MS09-001.

# Jorge Mieres