![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
I remind you that the Conficker worm is scheduled to activate on Wednesday. That event is now less than 48 hours away.
In a very timely move, the Honeynet Project has managed to find and exploit a flaw in Conficker, which they have used to develop a network scanner that can detect Conficker-infected Windows machines.
The Honeynet Project is very excited to announce a new scanning tool for detecting Conficker and an upcoming Know Your Enemy paper detailing how to contain Conficker. Both the paper and the tool have been developed by Honeynet Project members Tillmann Werner and Felix Leder. The tool was developed over the weekend, in co-ordination with Dan Kamisnky, and this tool is now publicly available and is in the process of being integrated into most major vulnerability scanning tools, including Nmap. The Know Your Enemy paper describing in far greater detail how to contain Conficker and the tool itself, will be released in the next forty-eight hours. Both the scanning tool and the paper have been developed and coordinated with the efforts of the Conficker Working Group. We would like to thank them for their tremendous support, guidance and input on this research.
From the referenced Doxpara page:
We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don’t have to: I’ve been working with the Honeynet Project‘s Tillmann Werner and Felix Leder, who have been digging into Conficker’s profile on the network. What we’ve found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it’s infected with Conficker, and it will tell you. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis’ Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys.
We figured this out on Friday, and got code put together for Monday. It’s been one heck of a weekend.
The technical details are not complicated -- Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version -- but I’ll let Tillmann and Felix describe this in full in their “Know Your Enemy” paper, due out any day now with all sorts of interesting observations about this annoying piece of code. (We didn’t think it made sense to hold up the scanner while finishing up a few final edits on the paper.)
Every non-trivial body of code has vulnerabilities.¹ Think about that. Every one. Including malware. No matter how carefully you audit a body of code, you can never be certain that you have found and corrected every potential vulnerability; so make that your basic underlying assumption: “Every non-trivial body of code has vulnerabilities.” It’s just a question of finding them — for good or ill.
In this case, Conficker exploits a flaw in Microsoft code to infect Windows systems; and now the Honeypot Project and friends are exploiting a flaw in Conficker’s code to remotely detect its presence. The wheel turns.
[1] I’ll grant it is hypothetically possible to have a body of code that you know contains no vulnerabilities. To have that knowledge, though, you have to be able to mathematically prove that the complete design of the code itself, every other piece of code that it relies upon, and the entire hardware system that they all run on are all completely correct. If you are unable to prove the correctness of any one of those elements, you cannot be completely certain that you have eliminated all potential vulnerabilities.
Re: Spot the defect!
Above a certain level of complexity any human created system will be flawed that includes computer software.
Developers need stable libraries, compilers and tools that are intended to write secure code. Effective automated tools to detect flaws would be good. Developers also need an attitude that supports secure coding practices.
Re: Spot the defect!