HOME
| UTORprotect |
DOCUMENTATION
|
AMS/ROSI
|
SERVICES
|
CONTACT
UTORprotect
Endpoint Security Policy System
Firewalls
Malicious Code
Network Security Policy
Open-Source Firewall
Password Usage Guidelines
Phishing 
Security Incident Reporting
Spam
Spyware 
Symantec Anti-Virus
Windows Security Maintenance
Windows Incident Response
Windows Security

Conficker/Downadup Exploit

This botnet exploit has gained a great deal of publicity mainly due to its sophistication in hiding itself and communicating with command/control sites. There have been reports in the media of an 'April 1' event involving the Conflicker exploit. Security researchers have not been able to determine the nature of the event (if there is one) other than a change to the bot's internal operation.

 

Exploit Description

The exploit's main vector was through the Microsoft OS vulnerability MS08-067, announced and patch in October 2008. It also spreads via the autorun feature in Windows which activates on insertion of removable media. Once installed, the bot tries to communicate with a malicious command/control site by algorithmically generating random DNS names, a small number of which are registered.

 

Local Incident Response Activity

  • Internet gateway port blocking of port 445, departmental and host-based firewalls are a good line of defense against propagation. ESP checking on wireless and residence networks should also ensure patch installation on user-owned equipment.
  • The campus network vulnerability scans have already been run to detect the missing patch - results are available for network admins at:https://cns.utoronto.ca/cgi-bin/scanreports/report.cgi.
  • Campus scans currently running using updated conficker detection tool - no conficker compromises were detected.
  • DNS caching servers are being monitored for conficker-characteristic queries - nothing remarkable is being measured.

 

Recommendations for Network Admins

Basics:

  • install MS08-067 or ensure appropriate isolation from network.
  • disable autorun feature for removable media in Windows.
  • monitor network traffic for high to high port activity for randomly generated IP addresses.
  • ensure antivirus maintenance - most products will detect the bot's presence

The central network scans reach computers that have TCP port 445 open to the Internet. Many computers may be configured to allow TCP port 445 open to the local subnet only - in order to detect conficker compromise in these computers, network admins should run their own scans from a source on the local subnet. Here are two recommended tools to do so:

Windows scan tool:

http://www.doxpara.com/?p=1291

Note: The Windows host that runs this has to have Python or Microsoft Visual C++ 2008 Redistributable Package (x86).It's a small installation package available for free from Microsoft:

http://www.microsoft.com/downloads/details.aspx?FamilyID=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displaylang=en

UNIX scan tool:

http://oss.coresecurity.com/projects/impacket.html

Please report conficker detections to: security.admin@utoronto.ca

 

Recommendations for End Users

The following URL is an 'eyechart' test that can be used to detect a possible conficker compromise (thanks to Columbia University for hosting the site).

http://www.columbia.edu/~joel/eyechart/cfeyechart.html

If you are not able to contact these sites, but can contact other common sites, you may have a conficker compromise. You should seek assistance immediately.

 

More Information

Microsoft End-user Security Information:

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx#EUB

Microsoft Security Response blog: http://blogs.technet.com/msrc

Detailed Technical: http://mtc.sri.com/Conficker/

SANS Diary: http://isc.sans.org/diary.html?date=2009-03-29

©2011 - University of Toronto Information + Technology Services. All Rights Reserved.