Researchers exploit Conficker flaw to find infected PCs
- 31 March, 2009 08:55
Just days before the Conficker worm is set to contact its controllers for new instructions, security researchers have discovered a flaw in the worm that makes it much easier for users to detect infected PCs.
Tillmann Werner and Felix Leder, members of the Honeynet Project, an all-volunteer organization that monitors Internet threats, have discovered that Conficker-infected PCs return unusual errors when sent specially crafted Remote Procedure Call (RPC) messages, according to preliminary information they have posted on the Web.
There's a growing urgency in the battle against Conficker as Wednesday approaches. PCs infected with Conficker.c, the third version of the worm, will use a new communication scheme starting April 1 to establish a link to the command-and-control servers operated by the hackers. What's troubling to researchers is that they have no clue about what orders the worm's makers will give those machines.
Using their discovery, Werner and Leder, along with Dan Kaminsky, the security researcher who last summer uncovered a critical flaw in the Domain Name System (DNS) software, spent the weekend crafting a scanner that lets users quickly sniff out Windows machines infected with the worm.
"You can literally ask a server if it's infected with Conficker, and it will tell you," Kaminsky said in an entry to his blog Monday.
The scanner, in turn, has been modified and added to enterprise-grade detection systems from companies such as McAfee Inc., nCircle Inc. and Qualys Inc., which plan to release updates today. The free open-source Nmap scanner is also slated to include the new detection capability.
"What Tillmann and Felix found was that Conficker systems react differently to certain RPC parameters," said Wolfgang Kandek, chief technology officer at Qualys. "The difference is very subtle."
Conficker-patched machines answer differently to the special RPC messages because the worm, which exploited a Windows vulnerability that Microsoft Corp. patched last October, uses its own version of the Microsoft patch to effectively close the door behind it. Quashing a bug is a common tactic by malware authors to prevent other criminals from stealing their infected systems.
Page BreakBecause Conficker patched its victims, enterprises had trouble detecting which machines on their networks had been compromised by running standard vulnerability scanners, which look for unpatched machines. Werner and Leder, however, found a way to tell a Conficker-patched PC from a legitimately patched computer.
"This makes detection very convenient," Kandek said, "because you can do remote scanning very quickly, without someone having to log into the system and look at the registry keys. It's not difficult to detect Conficker while you're on the system, but this lets an administrator quickly scan an entire subnet on the network."
However, the patch applied by Conficker does not completely plug the Windows hole. "It keeps the flaw open," said Kandek, "but only for the worm and for someone who knows how to exploit it." That's one reason why the Werner-Leder-Kaminsky scanner has raised eyebrows. Some worry that the tool could be used by other hackers, who might exploit the purposely incomplete patch to hijack the estimated 10 million to 12 million Conficker-infected PCs.
Kandek thought that was far-fetched. "I don't think the flaw will be exploitable by anyone other than the Conficker authors," he said. "This is a very smart and determined and updated team."
Also involved this weekend in the work was the so-called "Conficker Cabal," the ad-hoc consortium of security researchers, companies and organizations that combined forces in February to disrupt the worm's command-and-control infrastructure.
"It was a great effort," said Kandek, "and again, some nice coordination by Dan Kaminsky."
Werner and Leder will be publishing more information about their discoveries in a paper, "Know Your Enemy: Containing Conficker -- To Tame a Malware," which will be posted on the Honeynet Project's site when it's ready.