Conficker spreads mostly by exploiting a security vulnerability in Microsoft Windows systems, one that the software giant issued a patch to fix last October - just days before the first version of Conficker struck. Experts have known for some time now that Conficker applies its own version of that patch shortly after infecting a host system. This tactic not only prevents other malicious software from infiltrating the host via that vulnerability, but it also makes it difficult to for system administrators to find potentially infected systems simply by scanning their networks for PCs that are missing that critical software update.
But according to research to be published later this week by the Honeynet Project, a volunteer organization that tracks Internet attacks, the Conficker worm doesn't completely close the hole that allows it to wiggle into infected systems in the first place.
"Prior to our research, it was believed believed when Conficker infected computers, it patched them, so that one could not tell who's infected and who's not, and any vulnerable computer that was already infected was considered not vulnerable," Honeynet founder Lance Spitzner said.
The implications of this discovery were not lost on members of the so-called Conficker Cabal, a group of security researchers, academics and policymakers who have been toiling to block Conficker from updating itself with an unknown software component, as the millions of infected systems are programmed to do on April 1.
Dan Kaminsky, director of penetration testing for Seattle based security firm IOActive, said the group realized very quickly that that weakness in Conficker's patch for the Microsoft flaw would make it far easier for network administrators to distinguish a Conficker-patched system from a host that is protected by Microsoft's official patch.
Over the weekend, the Cabal worked with the curators of a half-dozen organizations that maintain software vulnerability scanning tools, to help them build updates that would enable their tools to distinguish between Windows systems equipped with the official and rogue security patch. As a result, the new detection should be available now in free vulnerability scanners such as nMap, as well as vendor-driven scanning tools from Tenable, McAfee, nMap, nCircle and Qualys.
"Until now, there really hasn't been an easy and reliable way for network admins to find out how infected their networks are," Kaminsky said. "These scanning tools now provide a no-fuss way to find out over the time it takes to have lunch whether or not April 1 is going to be a bad day for your network."
Through the use of a secret encryption key, the Conficker authors have successfully prevented other criminals from hijacking millions of infected systems, a common practice among criminal groups that control large groupings of hacked PCs - also known as "botnets."
But Spitzner said some members of the Conficker Cabal worry that the publication of specific details about the bungled patch could give criminal gangs the instructions they need to evade those built-in protections and assume control over chunks of the Conficker botnet. Alternatively, well-intentioned experts might release a worm that uses the flaw in the bogus patch to uninstall Conficker from host systems.
Such an "anti-worm" might well be more destructive than the Conficker worm itself, Kaminsky said.
"You would have to build something that is as virulent as the current worm, and be willing to become the kind of monster you're trying to fight," Kaminsky said. "No one can play counter-worm very well."
Indeed, in 2004, the Welchia (or Nachi) worm sought to remove the "Blaster" worm, an epidemic that affected far more systems than Conficker (oddly enough, through a remarkably similar Windows security flaw). Welchia, initially dubbed a "good worm," was later found to have caused far more damage than Blaster ever did.
Microsoft takes plenty of lumps when bad guys find and exploit security holes in its software. Yet, Conficker's weakness shows even the best criminal programmers make mistakes.
The discovery also highlights the inherent weaknesses present in almost all third-party security updates. In recent years, a number of security experts have developed handmade patches to provide stopgap protection against holes in widely used software, until the vendors can ship an official update.
But those updates typically are produced by people who do not have complete access to the source code for the vulnerable software. As a result, Kaminsky said, those unofficial fixes can introduce a false sense of security.
"If you don't have the source code, chances are you're not going to patch a flaw correctly," Kaminsky said. "The bad guys have so many advantages, and in this case it's actually one disadvantage that we can grab onto."
The white paper detailing the findings of Honeynet Project researchers Tillmann Werner and Felix Leder is expected to be released later this week.
Update, 9:18 p.m. ET: The Honeynet Project paper is available here.
I am just searching for a new job,if u would like to provide one please send me an Email!
Any suggestion just Click this!
Subscribe in a reader（订阅本站文章）
作者：obaby来源：☆Obaby's H4cking W0rld☆
- Misswe 被抓了，黑人要小心，谨防意外生！
- CCleaner 2.19.899
- MPlayer 2009-04-27 (Build #53)
- Opera 十五岁了！
- ☆Obaby's H4cking W0rld☆专版360安全卫士
- 去掉赛博QQ 1.7(CyboQQ)的登录提示窗口
- blogspot 3栏模版代码分析 ZZ
- 国外与国内两个顶尖级的sql INJECTOR注入工具并且开源/下载地址download ZZ
- MS09-014: MSIE EMBED element race condition memory...
- Name Not on Our List? Change It, China Says(名字不在汉字...
- The Great Brazilian Sat-Hack Crackdown (巴西黑客劫持美国军用...
- Revolt stirs among China’s nuclear ghosts
- 黑客称要在PSP3000 HEN系统中增加反ISO功能并提前发布
- Windows XP服务优化批处理
- [图]Google Maps开始支持公共网络摄像头
- Foxmail 6.5Beta3 收发hotmail和msn企业邮局邮件
- Kaspersky Internet Security 2010
- Linux Kernel < 2.6.29 exit_notify() Local Privileg...
- WM Downloader Version 220.127.116.11 .m3u Universal Stack...
- RM Downloader Version 18.104.22.168 .m3u Universal Stack...
- 新生儿起名将须从8000汉字选取 避免生僻字
- 博告网 通过博客获得收益
- Win 7 壁纸
- foobar2000 0.9.6.5 Beta 1
- Windows 7 7077 x64位版BT下载发布
- Free Mini Webserver & FTP server
- VirtualBox 2.2.0 正式版
- Go-OO 22.214.171.124──OpenOffice.org的加速版
- [BT]Windows 7 build 7077 x86 RC Escrow
- CO.CC - 超短免费二级域名
- Opera 10.0 Build 1413 Alpha
- Windows XP SP4得到间接确认
- Oracle WebLogic IIS connector JSESSIONID Remote Ov...
- Flaw in Conficker Worm May Aid Cleanup Effort
- Foxit Reader 3.0 (<= Build 1301) PDF Buffer Overfl...
- [09.04.03]官方简体中文版 Windows 7 Ultimate x64 build 706...
- UltraEdit-32 v15.00.1.1033 多国语言版 - 强大的文本编辑器
- ▼ 四月 (63)