Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 30th, 2009

Days Before Conficker Outbreak Researchers Detect An Easy Detection Method For Infected Machines

In a growing urgency to battle Conficker as Wednesday approaches, security researchers have discovered a flaw in the worm that makes it much easier for users to detect infected PCs. The latest variant, first detected on March 4, 2009, includes an algorithm to generate a list of 50,000 different domains. Five hundred (500) of these will be randomly selected to be contacted by infected PCs beginning April 1, 2009 to receive updated copies, new malware components, or additional functional instructions.

Conficker’s (a.k.a. DOWNAD) payload will only supposedly be unleashed on April 1st. There are two days to go until the moment of truth and the hype isn’t expected to die down. Online threat history tells us that trigger/activation dates of equally hyped malware have come and gone without much fanfare. Whether or not April 1 will play out to be D-Day indeed, the security industry will be keeping an eye out for any malicious activity—like it should.

Just days before the Conficker worm is set to contact its controllers for new instructions, Tillmann Werner and Felix Leder, members of the Honeynet Project, an all-volunteer organization that monitors Internet threats, have discovered that Conficker-infected PCs return unusual errors when sent specially crafted remote procedure call (RPC) messages, according to preliminary information they have posted on the Web.

What’s troubling to researchers is that they have no clue as to what orders the worm’s makers will give those machines. PCs infected with Conficker.c, the third version of the worm, will use a new communication scheme starting April 1 to establish a link to the command-and-control servers operated by the hackers.

Using their discovery, Werner and Leder, along with Dan Kaminsky, the security researcher who last summer uncovered a critical flaw in the Domain Name System software, spent the weekend crafting a scanner that lets users quickly sniff out Windows machines infected with the worm.

“You can literally ask a server if it’s infected with Conficker, and it will tell you,” Kaminsky said in an entry to his blog today.

The scanner, in turn, has been modified and added to enterprise-grade detection systems from companies such as McAfee, nCircle and Qualys, which plan to release updates today. The free open-source Nmap scanner is also slated to include the new detection capability.

“What Tillmann and Felix found was that Conficker systems react differently to certain RPC parameters,” said Wolfgang Kandek, chief technology officer at Qualys Inc. “The difference is very subtle.”

Conficker-patched machines answer differently to the special RPC messages because the worm, which exploited a Windows vulnerability that Microsoft Corp. patched last October, uses its own version of the Microsoft patch to effectively close the door behind it. Quashing a bug is a common tactic by malware authors to prevent other criminals from stealing their infected systems.

Because Conficker patched its victims, enterprises had trouble detecting which machines on their networks had been compromised by running standard vulnerability scanners, which look for unpatched machines. Werner and Leder, however, found a way to tell a Conficker-patched PC from a legitimately patched computer.

However, the patch applied by Conficker does not completely plug the Windows hole. “It keeps the flaw open,” said Kandek, “but only for the worm and for someone who knows how to exploit it.” That’s one reason why the Werner-Leder-Kaminsky scanner has raised eyebrows. Some worry that the tool could be used by other hackers, who might exploit the purposely incomplete patch to hijack the estimated 10 million to 12 million Conficker-infected PCs.

Werner and Leder will be publishing more information about their discoveries in a paper, “Know Your Enemy: Containing Conficker — To Tame a Malware,” which will be posted on the Honeynet Project’s site ( when it’s ready.

Credit: ComputerWorld Security
Credit: TrendLabs, Trend Micro

Share this item with others:

More on CyberInsecure:
  • Spam Volumes Increase Again, Soon To Be Powered By At Least 10 Millions Of Infected Conficker Bots
  • More Than A Million PCs Infected Through A Month Old Windows Vulnerability In The Past 24 Hours
  • Another Worm Exploiting MS08-067 Windows Flaw Spotted In The Wild
  • Major League Baseball Website Infected Visitors Through Ads
  • Houston Justice System Paralyzed By Conficker Worm

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Days Before Conficker Outbreak Researchers Detect An Easy Detection Method For Infected Machines

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.