This just came in: you can scan a network to detect confiker infections due to the way confiker patched the vulnerability.
First and foremost, there is not reason to panic. Confiker will start on April first to scan for C&C command servers and try to download content. Nothing more, nothing less. There may be content on servers, but this is not necessary. It might be that content is pushed on the 14th of april, or the 30 of june, nobody else than the confiker authors know. What is important however is to get rid of your infected machines before this happens.
- Download Python based scanner - Credit : Uni Bonn or Python2Exe build
- Nessus plugin 36036 - Blog post
- NMAP latest SVN - 1) Install the latest development build, of nmap, 4.85Beta4, from here.
2) Retrieve this package, extracted from SVN, and merge it into your c:\Program Files\nmap directory. (Credit Doxpara.com)
- CVE : CVE-2008-4250
- Confiker infects a host through an old vulnerability (MS08-067) that is exposed over MSRPC (NetpwPathCanonicalize function)
- Confiker patches the vulnerability in memory so nobody else (and itself) can exploit it
- The in memory patch is different than the official one form Microsoft and exhibits a different reponse to a specific query.
- Request server = 'a' * 1 + '\0\0\0' + path = '\x5c\0\x2e\0\x2e\0\x5c\0\0\0\0\0'
- Answer if infected : Result Par#1 = 0x5c450000 and result Par# 3 =0x00000057
- Uni Bonn has reversed engineered the PRNG for the variants A,B,C
- Tool and source code can be downloaded here
Subscribe to the RSS feed for more updates : RSS