Increased Visibility

Ramblings of an Information Security Analyst

Detecting Conflicker

By Jason • Mar 30th, 2009 • Category: Vulnerability Management

Conflicker on 60 minutes?  Really?  Since when does a worm get any press before it causes damage?  Of course, leading with “the internet is infected” or calling it “one of the most dangerous threats ever” is not the best way to do anything but spread FUD.

While doing a demonstration where she clicked on a Facebook social engineering scam, Lesley Stahl does say “…and the hacker owned me.” It’s worth a watch just for that line. http://www.cbsnews.com/video/watch/?id=4901282n

In this case, the security industry is on top of things.  We’re tracking, we’re reverse engineering, and we’re finding ways to detect it.  Over the weekend, a German group wrote proof of concept code for detecting Conflicker from over the network.  Download it here: http://iv.cs.uni-bonn.de/uploads/media/scs.zip

According to Dan Kaminsky and an article on Slashdot:

“What we’ve found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it’s infected with Conficker, and it will give you an honest answer.”

The script is written in Python.  The instructions for using it are hard to find.  I gave it a spin, and though I’d write some directions for running it on Windows.

  1. First, download and install Python for Windows.  Go ahead and install it using the default configuration.
  2. The script wants a couple of Python libraries installed.  The most important is Impacket. You can download that here: http://oss.coresecurity.com/repo/Impacket-stable.zip.  After you download it, unzip it in to a directory.  Go to that directory in a Command window and type the following:
  3. python setup.py install
  4. Now, download and unzip the detection script: http://iv.cs.uni-bonn.de/uploads/media/scs.zip.  I put it in C:\tools\scs.  Type the following, and watch it do its thing:
  5. python scs.py <start-IP> <end-IP>

The output isn’t very neat.  It tells you when it fails to connect to a machine, when it thinks a machine is clean, and when it finds something suspicious.

If you add a couple Windows commands, the output makes more sense and shows you just what you want to see. You can pipe the output to find, filter by “No resp” which removes the lines where the script tells you it could not connect to a machine, and write that to a file.  If you want to scan a larger network, you can fire that and come back a little later to see what it found. If you have IPs by floor or buildings, you can break it down by building and write that to files that make sense for you.  For example:

C:\tools\scs>scs.py 10.1.11.1 10.1.11.255 | find /v “No resp” > Building_A.txt

File:

More Information:
http://www.confickerworkinggroup.org
http://it.slashdot.org/article.pl?sid=09/03/30/090224
http://securosis.com/2009/03/30/easily-detect-conficker-infections-over-the-network/

Leave a Reply