This just came in: you can scan a network to detect confiker infections due to the way confiker patched the vulnerability.

First and foremost, there is not reason to panic. Confiker will start on April first to scan for C&C command servers and try to download content. Nothing more, nothing less. There may be content on servers, but this is not necessary. It might be that content is pushed on the 14th of april, or the 30 of june, nobody else than the confiker authors know. What is important however is to get rid of your infected machines before this happens.

Network Scanners

Information about conficker.c


Vulnerability Details
How is scanning for infected hosts possible ? :
  • Confiker infects a host through an old vulnerability (MS08-067) that is exposed over MSRPC (NetpwPathCanonicalize function)
  • Confiker patches the vulnerability in memory so nobody else (and itself) can exploit it
  • The in memory patch is different than the official one form Microsoft and exhibits a different reponse to a specific query.
Details :
  • Request server = 'a' * 1 + '\0\0\0' + path = '\x5c\0\x2e\0\x2e\0\x5c\0\0\0\0\0'
  • Answer if infected : Result Par#1 = 0x5c450000 and result Par# 3 =0x00000057
What domains are generated each day ?
  • Uni Bonn has reversed engineered the PRNG for the variants A,B,C
  • Tool and source code can be downloaded here
Have questions related to conficker ? Confiker workgroup

Subscribe to the RSS feed for more updates : RSS


Post a Comment