Tuesday, March 31, 2009

Preparing for Conficker's April 1st

Whether or not it will prove to justify the effort, Conficker has kept many of us fairly busy over the past few weeks. When the news broke late last weekend that machines infected with Conficker were, at least for the time being, network-detectable, many vulnerability scanners have been running 24/7.

My own group was no exception; we are a paying Tenable customer and we were able to get a handle on the Nessus plugin right away.

When we had not found a single detection after scanning for nearly 24 hours, we were getting a little worried. While we believe that we are doing a fairly good job at keeping our end points patched and firewalled, it was (and still is) hard to believe that we did not have a single infection on our network.



The only way to tell for sure if our scans were effective was by
creating a controlled experiment. To do so, I took a virtual machine
running Windows XP that was vulnerable to Conficker, and then
downloaded the malware to the box and purposefully infected it. With
some creative Googling, figuring out where to go for the malware sample
and how to get it running was not that hard.

After having
infected my machine in a controlled lab environment, it was now time
for the real test. Would our scanners detect it? The answer is: YES,
they did.

The NMAP-scan ran beautifully:

Host 192.168.222.5 appears to be up ... good.
Scanned at 2009-03-31 15:49:03 EDT for 0s
Interesting ports on 192.168.222.5:
PORT STATE SERVICE REASON
445/tcp open microsoft-ds syn-ack
MAC Address: 00:0C:29:A5:FE:4B (VMware)

Host script results:
| smb-check-vulns:
| MS08-067: LIKELY VULNERABLE (host stopped responding)
| Conficker: Likely INFECTED
|_ regsvc DoS: FIXED
Final times for host: srtt: 1244 rttvar: 4015 to: 100000

Since the test machine was in fact a virtual machine running with
only a host-only network virtual network in a VMWare Workstation
installation, getting Nessus to scan the box was a little more
challenging.

Fortunately, host-only accessible nodes are still
accessible from the host operating system, so setting up a simple SSH
tunnel to the Nessus server with a remote tunnel that connected port
445 on the server to port 445 on the infected machine turned out to be
trivial.

Never underestimate the ability of a single SSH client to bridge separate networks. 

After
briding the VMWare host-only network to the Nessus server, the
vulnerability scan was launched and the IP address of the host turned
red almost immediately. Great, Nessus also detects it!

We
repeated the checks a few more times with different configurations of
the guest operating system, and all scans came back reliably.

All
in all, I feel fairly good about what may happen tomorrow. Is there
potentially still a large problem? Sure there is. Do I think we are
ready to respond to it when a problem does manifest itself. We'll see,
but I think we're in a good shape.

As the date line
continues to move closer, I'll be watching Twitter, the Blogosphere and
several mailing lists to see if the end of the Internet is indeed
approaching. If so, thank you for reading this blog.

If the Internet does continue to function a little while longer, I look forward to my next post :)

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.