Flaw in Conficker Worm May Aid Cleanup Effort
Experts have discovered a security hole in the computer code that powers the Conficker worm, an aggressive contagion that has spread to more than 12 million Microsoft Windows systems worldwide. The security community is treading lightly with this news, because while the discovery could make it easier to isolate infected systems, it could also give criminals a way to quietly hijack millions of systems.
Conficker spreads mostly by exploiting a security vulnerability in Microsoft Windows systems, one that the software giant issued a patch to fix last October - just days before the first version of Conficker struck. Experts have known for some time now that Conficker applies its own version of that patch shortly after infecting a host system. This tactic not only prevents other malicious software from infiltrating the host via that vulnerability, but it also makes it difficult to for system administrators to find potentially infected systems simply by scanning their networks for PCs that are missing that critical software update.
But according to research to be published later this week by the Honeynet Project, a volunteer organization that tracks Internet attacks, the Conficker worm doesn't completely close the hole that allows it to wiggle into infected systems in the first place.
"Prior to our research, it was believed believed when Conficker infected computers, it patched them, so that one could not tell who's infected and who's not, and any vulnerable computer that was already infected was considered not vulnerable," Honeynet founder Lance Spitzner said.
The implications of this discovery were not lost on members of the so-called Conficker Cabal, a group of security researchers, academics and policymakers who have been toiling to block Conficker from updating itself with an unknown software component, as the millions of infected systems are programmed to do on April 1.
Dan Kaminsky, director of penetration testing for Seattle based security firm IOActive, said the group realized very quickly that that weakness in Conficker's patch for the Microsoft flaw would make it far easier for network administrators to distinguish a Conficker-patched system from a host that is protected by Microsoft's official patch.
Over the weekend, the Cabal worked with the curators of a half-dozen organizations that maintain software vulnerability scanning tools, to help them build updates that would enable their tools to distinguish between Windows systems equipped with the official and rogue security patch. As a result, the new detection should be available now in free vulnerability scanners such as nMap, as well as vendor-driven scanning tools from Tenable, McAfee, nMap, nCircle and Qualys.
"Until now, there really hasn't been an easy and reliable way for network admins to find out how infected their networks are," Kaminsky said. "These scanning tools now provide a no-fuss way to find out over the time it takes to have lunch whether or not April 1 is going to be a bad day for your network."
Through the use of a secret encryption key, the Conficker authors have successfully prevented other criminals from hijacking millions of infected systems, a common practice among criminal groups that control large groupings of hacked PCs - also known as "botnets."
But Spitzner said some members of the Conficker Cabal worry that the publication of specific details about the bungled patch could give criminal gangs the instructions they need to evade those built-in protections and assume control over chunks of the Conficker botnet. Alternatively, well-intentioned experts might release a worm that uses the flaw in the bogus patch to uninstall Conficker from host systems.
Such an "anti-worm" might well be more destructive than the Conficker worm itself, Kaminsky said.
"You would have to build something that is as virulent as the current worm, and be willing to become the kind of monster you're trying to fight," Kaminsky said. "No one can play counter-worm very well."
Indeed, in 2004, the Welchia (or Nachi) worm sought to remove the "Blaster" worm, an epidemic that affected far more systems than Conficker (oddly enough, through a remarkably similar Windows security flaw). Welchia, initially dubbed a "good worm," was later found to have caused far more damage than Blaster ever did.
Microsoft takes plenty of lumps when bad guys find and exploit security holes in its software. Yet, Conficker's weakness shows even the best criminal programmers make mistakes.
The discovery also highlights the inherent weaknesses present in almost all third-party security updates. In recent years, a number of security experts have developed handmade patches to provide stopgap protection against holes in widely used software, until the vendors can ship an official update.
But those updates typically are produced by people who do not have complete access to the source code for the vulnerable software. As a result, Kaminsky said, those unofficial fixes can introduce a false sense of security.
"If you don't have the source code, chances are you're not going to patch a flaw correctly," Kaminsky said. "The bad guys have so many advantages, and in this case it's actually one disadvantage that we can grab onto."
The white paper detailing the findings of Honeynet Project researchers Tillmann Werner and Felix Leder is expected to be released later this week.
Update, 9:18 p.m. ET: The Honeynet Project paper is available here.
March 30, 2009; 10:50 AM ET
Categories: Fraud , Safety Tips | Tags: cabal, conficker worm, honeynet project, kaminsky
Save & Share: Previous: Happy 4th Birthday, Security Fix
Next: Asia, Europe, S. America Biggest Conficker Targets
Posted by: RobDouglas | March 30, 2009 11:22 AM | Report abuse
Posted by: cbm1 | March 30, 2009 1:01 PM | Report abuse
Posted by: featheredge9 | March 30, 2009 2:57 PM | Report abuse
Posted by: featheredge9 | March 30, 2009 3:02 PM | Report abuse
Posted by: caebling | March 30, 2009 3:21 PM | Report abuse
Posted by: cbm1 | March 30, 2009 9:36 PM | Report abuse
Posted by: Bob Greiner | April 1, 2009 11:10 AM | Report abuse
Posted by: anthonymfreed | April 5, 2009 12:04 PM | Report abuse
The comments to this entry are closed.