2009 March | Security Active Blog

Identifying if your infected with Conficker with NMAP

Hiya guys, this is a super quick post as I am busy at work, but as mentioned on the main site yesterday some knowledgable guys from the honeynet project have identified the signatures of Conficker, so we can now try and indentify infections.

I am focusing on testing this with NMAP as its free, so here are some links to read as I dont currently have time to do the write ups, sorry.

http://blog.commandlinekungfu.com/2009/03/episode-16-got-that-patch.html

http://seclists.org/nmap-dev/2009/q1/index.html

http://www.skullsecurity.org/blog/?p=209

Nmap 4.85BETA5

o Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

http://nmap.org/download.html

If you want to use the Simple Conficker Scanner, which you can also do bulk scans from a txt file, download the latest version here.

scs <start-ip> <end-ip> | <ip-list-file>

Conficker going to get you – April Fools or True?

The Security world is all a buzz with the 1st of April rapidly approaching. No one knows if its really going to happen, or if it really is an April fool, but there is a good change the Conficker (MS08-067 Vulnerability) is going to strike.
Many organisations may not have been able to patch, but now is the time to be thinking of how your going to cope should the worst happen. At the vary least you should be running an AV Product that can detect the various variants, and have the package on hand ready for deployment if your impacted, so you can deploy in an untested fashion.

Looking at this realisticly if your already infected you might be at risk, but no more than any other day that they could lauch the attack, I dont see anyone suddenly distributing and infecting more machines all of a sudden, this will probably just gradually grow as it has over the last months.

If your a home user, and not sure if your patched, you might want to try this excellent bit of command line Kung Fu from Ed Skoudis -

wmic qfe where hotfixid=”KB958644″ list full

Microsoft Excerpt:
In early March, security researchers identified a new version of the Conficker virus, called Conficker.C. This third variant of the virus, like its predecessors, exploits the vulnerability patched by Microsoft’s security bulletin MS08-067, released in October 2008. While not currently released, it has been confirmed that this virus will become active and malicious on April 1, 2009.
Conficker.C is a major revision of the original virus. This variant includes new functionality that ranges from new infection methods to disabling security tools. The Conficker.C virus will scan and kill processes for security products including disabling: firewalls, patch deployment, and antivirus software.
WHAT TO DO BEFORE APRIL 1ST:
The best defense is to apply Microsoft Security Bulletin MS08-067 to eliminate the vulnerability. Administrators should ensure every system on their network, internal and external, physical and virtual, has the MS08-067 patch applied. Before trying to clean or detect any systems that may be infected with the Conficker virus, administrators must first apply the patch. Attempting to clean systems without first protecting them will only present a never-ending process of Virus removal. By applying MS08-067, administrators will then be able to start the task of scanning for infected devices and restoring them back to their desired state.
WHAT TO DO AFTER APRIL 1ST:
If you have not installed the MS08-067 patch on all systems before April 1st, and systems are infected, researchers claim that you will not be able to apply the patch to the infected systems. You will have to manually remove the virus and then apply the patch. This can leave your system open for re-attack in the timeframe between removing the virus and applying the patch.

Potential New Methods of Attack:
In addition to using internal networks as the means of attack, Conficker.C is believed to use P2P (Peer-to-Peer) networking to infect other vulnerable systems.
Find the Gaps and Close Them Before Conficker.C Causes Trouble for Your Network:
Shavlik is offering a limited-time only, free version of its NetChk Protect and NetChk Compliance software for users to protect against the Conficker virus. Corporations can use Shavlik’s non-invasive, agentless technology to assess their entire network to ensure that Microsoft patch MS08-067 is applied and that their configuration settings have been hardened according to security expert recommendations.

Here is also an interesting Q&A from F-Secure, which also seems to share a realistic perspective.

Smartphones survive the Pwn2Own contest.

As previously mentioned, the Pwn2Own hacking contest, also featured events to target the ever popular smartphones.
Surprisingly they all managed to survive and not be compromised. This may be for various reasons, such as the lack of processing power of the phones when it comes to exploitation, or the fact that not much time has spent previously around targeting these devices.

All I know is that it doesnt mean we should think there is nothing to worry about, as the use becomes more popular, and data more valuable trends will change.

I recently got a new smartphone, and I dont think it will be long until AV products become more popular on these platforms, so watch this space.

Google Street View… Are you famous??

street

So Google have now released the long discussed Street View, and already people are complaining and asking to have images removed.
I guess if you have been caught slacking off work, or having lunch with your mistress you might have something to be worried about, but it general I dont think its a mega issue or invasion of privacy.

The images are not real time, as far as I am aware there is not meta data linking the image to individual, registration information or anything else thats not in the public domain. I do wonder if these same people complaining, are the ones with hundreds of pictures on Flickr and such like.

Personally until I learn anymore, I am not to worried about this myself. Granted such as images on Google Earth, so images of government building and such like might need to be removed or censored, not because of the content as such, as anyone could go take a picture, but more to remove the ease of access to such images. I can see the plus sides, be a good idea to get the idea of what a street looks like that your are planning to navigate to.

I have not seen myself on Street View maps yet, but maybe you will be lucky

Internet Explorer 8 Now Available and out of beta

ie8released_02

The latest release of Internet Explorer is a lot faster, finally follows internet standards, and adds a lot of new features like a smarter address bar, tab grouping, private browsing, and tab crash protection. Check out our previous coverage of the IE Beta for a full walk-through of the new features, or just download it and check them out for yourself.

Surviving Pwn2Own Google Chrome Style

Google Chrome has its known flaws, and I have to say I personally have not used it since testing it.
Saying this though, they must be doing something right as its still standing in the Pwn2Own hacking contest when other browser have been squashed.

Security researcher Charlie Miller hacked Safari in just 10 seconds, then used a remote-execution exploit to take over the up-to-date MacBook and make it do his dirty bidding. Firefox and Internet Explorer 8 fell within a few hours to Nils, a master’s student who busted all three browsers wide open. They each won $5000. Day 2 will offer more $5000 prizes for discovering new bugs in Firefox, Chrome and Safari.

Twitterings

M	T	W	T	F	S	S
« Feb				Apr »
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Security Active Blog

The findings and mutterings of a security professional