14 DAY TRIAL // Security researchers from the Honeynet Project have developed a simple proof-of-concept network scanner that is able to identify machines infected with the infamous Conficker worm. The tool leverages a weakness in the worm's own patch for the Windows vulnerability it uses to get in.
Conficker is one of the most complex and widespread worms in the history of the Internet. It has infected millions of computers worldwide – up to 12 million, according to some accounts – and spreads from computer to computer by copying itself to removable storage devices and network shares or brute-forcing administration passwords.
However, the worm's main method of propagation, and the one that has made it so successful, is exploiting a critical vulnerability in the Windows operating system, identified by Microsoft as MS08-067. Once a system is compromised, Conficker tries to prevent other malware from getting in through the same flaw and, in order to achieve this, it attempts to patch the hole by deploying a custom fix, and not the one that Microsoft has provided.
This attempt at self-patching is where the weakness, identified by Felix Leder and Tillmann Werner, two German security researchers affiliated with the Honeynet Project, lies. In particular, Conficker hooks into the NetpwPathCanonicalize() function and watches for requests in order to identify and terminate foreign exploitation attempts.
“Conficker installs a handler that checks for suspicious paths before passing it to the possibly vulnerable NetpwPathCanonicalize() function. All of the three considered Conficker variants return the error code for 'invalid parameters' (87) in case they either find a \..\ in the path or if the path is longer than 200 wide characters. This legitimate error code is returned to the calling RPC program. The constant return code from Conficker can be exploited to remotely identify infected machines,” the researchers explain in their paper (PDF).
Furthermore, all variants of the worm, namely .A, .B and .C, do this even if the MS08-067 vulnerability has been fixed using the legit patch released by Microsoft. This means that not only unpatched systems, infected by Conficker, can be identified, but all computers, including the ones compromised through network shares, USB memory sticks, etc.
Even better news is that the Conficker Cabal, an alliance of organizations led by Microsoft that is fighting the worm, has been made aware of this research in advance of it being published. The coalition has worked in secret with the creators of popular network scanners such as Nessus, Qualys, McAfee/Foundstone, nmap, or ncircle, to help them add the Conficker-detection capability to their products.
This development is particularly important for network administrators, as it will allow them to scan and clean their network of Conficker infections before the worm is set to start contacting its command and control servers to receive instructions. Conficker generates a list of around 50,000 domain names, which the infected computers will randomly start querying on April 1st, to check for updates from its creators.
Even though most of the security researchers advise to calm down and claim that nothing will happen on April 1st, many IT professionals are edgy and worrying about this date. The experts argue that the Conficker creators have alternative methods of pushing updates and can do it at any time, therefore making the existence of a specific date pointless. Furthermore, the worm is only set to start checking for online command and control servers on this day. It does not necessarily mean that it will find any, or that its creators will start giving instructions to the botnet.