Found: An Achilles heel for Conficker
A few of the folks scrutinizing Conficker realized something mighty interesting on Friday: The malware not only changes what Windows looks like on the network, if you ask a server whether it's got a case of the Conficker, it will tell you -- remotely and without authentication, even. One insanely hectic weekend later, there are multiple brand-new enterprise-class scanners available for netadmins' network-protection needs.
So far on Monday, versions are being integrated into scanners from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle and Qualys. There's also a proof-of-concept tool available as well. The charge was led by the Honeynet Project's Tillman Werner and Felix Leder and moved along by Dan Kaminsky at Doxpara, along with Securosis' Rich Mogull, and the Conficker
Cabal Working Group.
Take a closer look at that list. Again, the focus is on scanners, not anti-malware or patches.
"Your chance to patch was in October," notes Wolfgang Kandek, CTO of Qualys. With the discovery of the new detection method, he says, "scanning is interesting again" as a means of preventing further infection," as opposed to battling infections once they're in place.
The Qualys exec says he's "really in favor of preventive measures" such as scanning for quelling potentially massive infections, such as Conficker has proven to be. "It's bad that we have to rely on anti-virus and anti-malware [solutions] to fix these infection." The new scan requires no authentication and can be run remotely; as long as the target server hasn't firewalled off ports 139 or 445, or as long as the scanner has privileged access, the change Conficker makes reveals itself.
Kandek, like many security experts closely engaged with current anti-Conficker efforts, isn't actually too worried about Wednesday, when the malware begins using a new algorithm to get its marching orders. The people behind Conficker, he notes, have been extraordinarily careful and competent in their management of the malware, and "I don't see them making the beginner's mistake of letting an update bring down the network."
That's good, because Qualys sees a lot of unpatched machines out there -- as of about two months ago, 30% of all Windows machines. Say what? -- or, more appropriately, say who? "We derive our numbers from enterprise customers and SMB," says Kandek, "but in areas where non-licensed machines are in use the ratio of unpatched machines must significantly higher due to the difficulty of getting and installing patches and the fear of detection."