Scanners and utilities to detect Conficker worm

In: Conficker , Configurations checks , Local auditing , Network Discovery , Vulnerability Scanner

31 March 2009

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

The worm exploitsMS08-67 unpatched servers.

- The Conficker worm related vulnerability identification

CVE : CVE-2008-4250
Missed Patch MS08-067
OVAL ID : oval:org.mitre.oval:def:6093
CVSS v2: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:ND/RL:ND/RC:ND/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
CWE: CWE-94 (Failure to Control Generation of Code (aka ’Code Injection’)
Known exploit : Metasploit
Malware report : ThreatExpert report

Here are some tools and utilities used to identify and tocontain the Conficker worm. Meanwhile, US-CERT raises a National Cyber Alert (TA09-088A)

Downatool2

The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.

Memory Disinfector

It is hard to identify files containing Conficker because the executable are packed and encrypted. When Conficker runs in memory it is fully unpacked. The memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running

Detecting Conficker Files and Registry

Online identification

Network Scanners

Executable release
Python version
Nessus Plugin (plugin 36036) to detect Conficker (conficker_detect.nasl) (included)
Nmap 4.85beta5 using this command line nmap -PN -T4 -p139,445 -n
-v —script=smb-check-vulns —script-args safe=1 [targetnetworks]

Removal tool (Nonficker Vaxination Tool)

Attached Documents

Conficker_detect.nasl (Zip - 1.4 kb)

Compliance Mandates

Network Discovery :
PCI DSS 11.2, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5
Vulnerability Scanner :
PCI DSS 11.2, 6.6, SOX A13.3, GLBA 16CFR Part 314.4(c), HIPAA 164.308(a)(8), FISMA RA-5, SI-2, ISO 27001-27002 12.6, 15.2.2

Conficker	31 March 2009 : Scanners and utilities to detect Conficker worm
Configurations checks	10 May 2010 : WebTest 1.2.1 - Testing Web Application with Python 1 May 2010 : Lansweeper v4.0 released 1 May 2010 : Sysinternal AccessChk v5.0 released 1 May 2010 : Spiceworks v4.7 build 50667 released 28 April 2010 : NSIA (Network System Integrity Analysis) v0.8.99 released
Local auditing	11 May 2010 : iScanner v0.5 released - Malicious codes scanner 22 April 2010 : OpenSCAP v0.5.9 released 30 March 2010 : Buck Security - Checks for Debian Linux - v0.5 released 29 March 2010 : PDFResurrect v0.10 released 26 March 2010 : Flint the Firewall Rules Checkup Scanner updated to v1.0.4
Network Discovery	12 May 2010 : Complemento v0.7.6 - Collection of Tools 10 April 2010 : Scapy v2.1.1 in the wild 30 March 2010 : pwnat tool v0.2-beta released 30 March 2010 : Nmap v5.30 beta 1 in the wild - doped with scripts - 27 March 2010 : pwnat tool v0.1-beta bypassing NAT
Vulnerability Scanner	10 May 2010 : SQLNinja v0.2.5 released! 26 April 2010 : Acunetix WVS v6.5 build 20100419 released 20 April 2010 : Sandcat v4.0 released 15 April 2010 : Nessus v4.2.2 released 9 April 2010 : SARA-7.9.2a the final version released

Scanners and utilities to detect Conficker worm

Attached Documents

Compliance Mandates

Related Articles

Follow us

Like us !

Most Read

Advertising

License

Categories

COMPANY

STANDARDS

RECENT POSTS

MENU