Network News

X My Profile
View More Activity

Flaw in Conficker Worm May Aid Cleanup Effort

Experts have discovered a security hole in the computer code that powers the Conficker worm, an aggressive contagion that has spread to more than 12 million Microsoft Windows systems worldwide. The security community is treading lightly with this news, because while the discovery could make it easier to isolate infected systems, it could also give criminals a way to quietly hijack millions of systems.

Conficker spreads mostly by exploiting a security vulnerability in Microsoft Windows systems, one that the software giant issued a patch to fix last October - just days before the first version of Conficker struck. Experts have known for some time now that Conficker applies its own version of that patch shortly after infecting a host system. This tactic not only prevents other malicious software from infiltrating the host via that vulnerability, but it also makes it difficult to for system administrators to find potentially infected systems simply by scanning their networks for PCs that are missing that critical software update.

But according to research to be published later this week by the Honeynet Project, a volunteer organization that tracks Internet attacks, the Conficker worm doesn't completely close the hole that allows it to wiggle into infected systems in the first place.

"Prior to our research, it was believed believed when Conficker infected computers, it patched them, so that one could not tell who's infected and who's not, and any vulnerable computer that was already infected was considered not vulnerable," Honeynet founder Lance Spitzner said.

The implications of this discovery were not lost on members of the so-called Conficker Cabal, a group of security researchers, academics and policymakers who have been toiling to block Conficker from updating itself with an unknown software component, as the millions of infected systems are programmed to do on April 1.

Dan Kaminsky, director of penetration testing for Seattle based security firm IOActive, said the group realized very quickly that that weakness in Conficker's patch for the Microsoft flaw would make it far easier for network administrators to distinguish a Conficker-patched system from a host that is protected by Microsoft's official patch.

Over the weekend, the Cabal worked with the curators of a half-dozen organizations that maintain software vulnerability scanning tools, to help them build updates that would enable their tools to distinguish between Windows systems equipped with the official and rogue security patch. As a result, the new detection should be available now in free vulnerability scanners such as nMap, as well as vendor-driven scanning tools from Tenable, McAfee, nMap, nCircle and Qualys.

"Until now, there really hasn't been an easy and reliable way for network admins to find out how infected their networks are," Kaminsky said. "These scanning tools now provide a no-fuss way to find out over the time it takes to have lunch whether or not April 1 is going to be a bad day for your network."

Through the use of a secret encryption key, the Conficker authors have successfully prevented other criminals from hijacking millions of infected systems, a common practice among criminal groups that control large groupings of hacked PCs - also known as "botnets."

But Spitzner said some members of the Conficker Cabal worry that the publication of specific details about the bungled patch could give criminal gangs the instructions they need to evade those built-in protections and assume control over chunks of the Conficker botnet. Alternatively, well-intentioned experts might release a worm that uses the flaw in the bogus patch to uninstall Conficker from host systems.

Such an "anti-worm" might well be more destructive than the Conficker worm itself, Kaminsky said.

"You would have to build something that is as virulent as the current worm, and be willing to become the kind of monster you're trying to fight," Kaminsky said. "No one can play counter-worm very well."

Indeed, in 2004, the Welchia (or Nachi) worm sought to remove the "Blaster" worm, an epidemic that affected far more systems than Conficker (oddly enough, through a remarkably similar Windows security flaw). Welchia, initially dubbed a "good worm," was later found to have caused far more damage than Blaster ever did.

Microsoft takes plenty of lumps when bad guys find and exploit security holes in its software. Yet, Conficker's weakness shows even the best criminal programmers make mistakes.

The discovery also highlights the inherent weaknesses present in almost all third-party security updates. In recent years, a number of security experts have developed handmade patches to provide stopgap protection against holes in widely used software, until the vendors can ship an official update.

But those updates typically are produced by people who do not have complete access to the source code for the vulnerable software. As a result, Kaminsky said, those unofficial fixes can introduce a false sense of security.

"If you don't have the source code, chances are you're not going to patch a flaw correctly," Kaminsky said. "The bad guys have so many advantages, and in this case it's actually one disadvantage that we can grab onto."

The white paper detailing the findings of Honeynet Project researchers Tillmann Werner and Felix Leder is expected to be released later this week.

Update, 9:18 p.m. ET: The Honeynet Project paper is available here.

By Brian Krebs  |  March 30, 2009; 10:50 AM ET
Categories:  Fraud , Safety Tips  | Tags: cabal, conficker worm, honeynet project, kaminsky  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Happy 4th Birthday, Security Fix
Next: Asia, Europe, S. America Biggest Conficker Targets


One wonders if our public policy makers are paying any attention to Conficker and what worms like this could mean in the future for cybercrime, cyberespionage and cyberwarfare.

Posted by: RobDouglas | March 30, 2009 11:22 AM | Report abuse

My wife's computer is one of the infected computers. Using the memory scanner at (Infomatik IV Containing Conficker), I got the following error:

MATCH at offset 02270338 of block 02230000
Pattern for Conficker.C found
Injecting shellcode

When I get home tonight, I will begin the disinfection process.

Thanks for posting the link.

Posted by: cbm1 | March 30, 2009 1:01 PM | Report abuse

Great analysis. Congrats on the anniversary.
Many happy returns.

Posted by: featheredge9 | March 30, 2009 2:57 PM | Report abuse

BUT. About the reconfiguration of the Tech page. Now that you and Rob Pegararo are links @ the top of the page, regular readers can click and read without scrolling -- convenient as long as the site is up to speed. But there are at least two possible unexpected consequences. 1) Security Fix and Faster Forward readers, of whom I assume there are many, may click and not scroll down as often to read the rest of the page. 2) Security Fix and Faster Forward may not attact a steady supply of new readers.

Posted by: featheredge9 | March 30, 2009 3:02 PM | Report abuse

The Chinese are thought to be behind this latest threat. In addition to conficker the BBC is reporting that Chinese hackers have access 1000s of sensitive computers in 100s of countries around the world. They continue to hack US government, military, and commercial systems. WWIII will be fought in cyberspace and the Chinese are perfecting their weaponry. If they can't already, soon they will be able to disable our civil and commercial infrastructure with a single computer stroke. Won't need to fire a single shot to take the US down.

Posted by: caebling | March 30, 2009 3:21 PM | Report abuse

The report I gave earlier of my wife's computer having the virus was a false positive. I have run Symantec and other tools on the page I listed and none of them found the virus. I did install the Nonficker Vaxination[sic] Tool that was at on all of my computers.

Posted by: cbm1 | March 30, 2009 9:36 PM | Report abuse

Testing comments.

Posted by: Bob Greiner | April 1, 2009 11:10 AM | Report abuse

More needs to be publicized about the Koobface Worm, which can be used in conjunction with other malware exploit as yet unrecognized vulnerabilities.

Social Networking sites (Facebook, MySpace, Bebo, LiveJournal, etc.) are under attack by a variation of the Koobface worm which began to spread in August ‘08. This new variant, tracked as WORM_KOOBFACE.AZ has the potential of a fast infection rate.

Most importantly, after propagating itself from the infected device, the Worm remains active on the user’s computer transmitting the computer’s data, settings, control information, and system information to over 300 international collection sites.

Posted by: anthonymfreed | April 5, 2009 12:04 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company