«  
  »

Conficker, Nmap and What I sent to the Office

I wasn’t going to write a Conficker post, but I had so much fun playing with nmap today that I caved in…

This afternoon I decided that it would be prudent to make a quick scan of the corporate networks for signs of Conficker-ness.  I knew from Dan Kaminsky’s recent “Taming Conficker” that I should be able to use the recent nmap beta for detection so that’s just the route I opted to take with the most recent beta version.

I’m not sure when I last tried nmap on Windows, but I know it was from before the integrated Zenmap GUI was included. Man, this works great! I’m all for the command line, don’t get me wrong, but when given the option of using a nicely organized and functional UI I’ll go that route every time. I really like the ability to store profiles – that rocks.

Back on track: I used the suggested command and ran a scan against each of our corporate segments.

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

I’m happy to say that I found no evidence of issues. However, as I write this I see that a new beta version (4.85beta6) has been released so I guess I’ll make one more run tonight just to be sure…

Of course, as so often happens with nmap I then spent the next hour trying various different sorts of scans and options to see what else I might turn up on my networks. That thing is an enjoyable time-sink, isn’t it?

The Work Communications

I had more than a few questions at work this week about Conficker, so just for posterity’s sake here’s a copy of what I sent out. For those of you in the IT Mgmt, Security or Ops fields, how does it compare to what you sent? I struggle with these sorts of notes because I don’t want to sound over-confident, yet I don’t want to scare the pants off everyone either. There’s already enough hype without that…

I’ve fielded a few questions about Conficker [1] this week, no doubt due in part to how much the media is enjoying the hype!  60 minutes covered it [2] this past weekend and I’ve even heard it discussed on the evening AM radio shows.

I just want to reassure you all that I think we’re in pretty good shape to ride this one out.

The first key to defending against it is keeping the Windows machines patched and up to date. With very few exceptions, we apply patches within days of their being released by Microsoft each month. The patch for this particular vulnerability came out last October! [3] The folks most at risk are those who have disabled and don’t apply the patches.

Our second line of defense is the OpenDNS service that we use for domain name resolution. Not only does DNS ensure that we can find the internet sites we need, it also performs our content filtering on the network (Yes, that’s why you can’t always get to the “non-work-related” sites that you want to…). The folks at OpenDNS are very aware of the Conficker issue and will be doing some screening and protection on behalf of their users.[4]

Side Note: I would encourage you all to consider using OpenDNS for your home systems or networks as well. It is very simple to use and free. More details at http://www.opendns.com/solutions/overview/

Our third line of defense is the Corporate Symantec Antivirus client installed on all of the desktops. While the scanner is a bit old, it is updated daily and can (and has!) detect modern viruses. Not only is it configured to scan files as they are accessed, but a weekly scan is run as well and I review results shortly afterwards each week.

Do I have any concerns? Well, not all machines on our network are corporate machines or managed by [company name]. We have visitors and some of you have your personal laptops here as well. To that end, I’ll be doing some network scans [5] this afternoon to probe all found machines for the vulnerability. Don’t fear, it’ll be non-invasive but it turns out that Conficker makes changes that are very easily detected with the equivalent of a quick port scan. Any machines detected with issues will be ejected from the network until their owner can patch/fix/update them.

Want to try and scan yourself? I have a little detection program out on network share \\[edited share]\_Apps called “Stinger_coficker” that you’re welcome to try out.

Feel free to drop by with any questions or concerns that I haven’t addressed.

More details and links from above:
[1] Conficker defined: http://en.wikipedia.org/wiki/Conficker
[2] the 60 minutes video: http://blogs.zdnet.com/security/?p=3036
[3] Microsoft patch notes: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
[4] OpenDNS mitigation plans: http://blog.opendns.com/2009/03/30/worried-about-conficker-on-april-1-setting-up-opendns-can-protect-your-network/
[5] Dan Kaminsky’s research notes on Conficker detection: http://www.doxpara.com/?p=1285
Best Regards,

Possibly Related posts:

  1. Conficker Detection: Updated
  2. Conficker Eye Chart
  3. Windows XP WiFi: The Missing Patch
  4. OpenDNS New Plans (and Initial Confusion)
  5. Google Announcements – Online Office Apps Getting Easier
March 31st, 2009 Tags: , , , , ,


8 comments to Conficker, Nmap and What I sent to the Office

  • Matt Johnson
    March 31st, 2009 at 11:32 pm · Reply

    Hey Chris: A great write up. I might just copy your line of defense form for explaining this to others. -Matt

  • Vox
    April 1st, 2009 at 1:54 am · Reply

    Conficker? What’s that? ;)

    Aren’t you glad I don’t deal with windows boxes? lol! I had a call today asking me about Conficker…my answer? “Uhm…I’m your linux support, I don’t care about viruses, those are only your windows people’s nightmares” :)

    I love when this stuff happens…it allows me to gloat massively! :)

  • notVox
    April 1st, 2009 at 2:50 pm · Reply

    Vox,

    Don’t get lippy, there are virus’ for Linux – and they would proliferate if we taunt the people to write them. Count you blessings that they focus on Mr. Softy but don’t fool yourself, they can write this stuff for any platform.

    L8tr

  • Vox
    April 1st, 2009 at 9:18 pm · Reply

    Yup, there are virii (viruses? virus? whatever) for linux…last epidemic like this we had was…5 years ago or so? And windows gets one of these every couple of months in a small scale, and a huge one every year or so.

    Remember….security isn’t running faster than the tiger…it’s running faster than the guy that’s running from the tiger besides you :)

  • Rich G.
    April 1st, 2009 at 10:17 pm · Reply

    Mac is a prettier linux it seems and doesn’t suffer from cornfinger or whatever the heck it is Handy was rambling about :P .

    I recently discovered some windows machines at work who hadn’t patched since the Daylight Savings Time patch came out YEARS ago… I’m scared to ask if anybody has scanned them for cornfinger. In theory they don’t go online, in practice I know better. Still scared to ask if they’ve been checked.

    • Chris
      April 1st, 2009 at 10:36 pm · Reply

      Egads, if they needed the DST patch, are they Windows 2000?!? The good news is, microsoft is still pushing Win2k patches (omg I know, right?!?) and I think the conficker issue was addressed by one (too lazy to check right now, but I’m pretty sure it was).

  • Jose
    April 2nd, 2009 at 1:14 pm · Reply

    I wrote a small script that parses the nmap output and uses nbtscan to retrieve the netbios name and outputs vulnerable / infected machine in comma delimited format. It works well for us, hope it helps!

    Download:
    http://jdltech.com/conficker/

  • Conficker Detection: Updated » Solo Technology
    October 4th, 2009 at 8:06 pm · Reply

    [...] few months ago I shared some information about checking for Conficker with nmap. Unfortunately, it turns out that post was out of date [...]

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>