“Know Your Enemy: Containing Conficker”
Mar 31, 2009 Security News
The good guys at the Honeynet Project have just released their timely paper:
The Honeynet Project is excited to announce the release of Know Your Enemy: Containing Conficker. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented.
You can download the pdf here
Discover Conficker on your Network
Mar 30, 2009 Security News
Dan Kaminsky and the Honeynet Project’s Tillmann Werner and Felix Leder, have discovered anomalous network fingerprints that Conficker makes to a host Windows machine. These changes can be easily, and remotely, detected. They have released a very basic Python script that can scan a network looking for these anomalies.
Read all of the details here
UPDATE: Conficker check is in Nmap SVN. Update, compile, then: nmap -PN -d -p445 –script=smb-check-vulns –script-args=safe=1 <host>
UPDATE: Download the Win32 scanner here
UPDATE: Linux users - download this package, extracted from SVN, and merge it into your Nmap directory (i.e. /usr/share/nmap)
What will Conficker do on April 1st?
Mar 27, 2009 Security News
An entertaining and informative FAQ about Conficker and April Fool’s Day from F-Secure:
Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?
A: The Conficker aka Downadup worm is going to change it’s operation a bit, but that’s unlikely to cause anything visible on April 1st.———-
Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st?
A: No.Q: I’m running a Mac, is something going to happen to me?
A: No.———-
Q: Is there going to be media hype?
A: Oh yes. Like there always is when a widespread worm has a date trigger. Think cases like Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).Q: But in those cases nothing much happened even though everybody expected something to happen!
A: Exactly.
Go read the entire thing HERE
Bruce Schneier at InfoSecurity.be Expo
Mar 27, 2009 Security Events
I had the chance to hear eminent security guru Bruce Schneier give the keynote talk at the 2009 InfoSecurity Expo in Brussels.
I have always appreciated his work and his writing, so this was a real treat for me. He speaks as well as he writes and I found his talk to be very interesting and timely. If you ever have the chance to hear him speak, definitely do yourself a favor and go.
Stealth Router-based Botnet Discovered
Mar 24, 2009 Security News
The guys over at DroneBL, a realtime monitor of abusable IPs, has discovered a botnet they are calling “psyb0t“.
We have come across a botnet worm spreading around called “psyb0t”. It is notable because, according to my knowledge, it:
- is the first botnet worm to target routers and DSL modems
- contains shellcode for many mipsel devices
- is not targeting PCs or servers
- uses multiple strategies for exploitation, including bruteforce username and password combinations
- harvests usernames and passwords through deep packet inspection
- can scan for exploitable phpMyAdmin and MySQL servers
Vulnerable is any Linux MIPSel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including OpenWRT/DD-WRT devices).
Read the whole thing HERE
