AusCERT - AU-2009.0013 -- AusCERT Update - [Win] - Update on Conficker/Downadup mitigation methods

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AU-2009.0013 -- AusCERT Update - [Win] - Update on Conficker/Downadup mitigation methods - Network scanning tools now available
Date: 30 March 2009
References: AL-2009.0021

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2009.0013 - [Win]
Update on Conficker/Downadup mitigation methods - Network scanning tools
now available
31 March 2009

        AusCERT Update Summary
        ----------------------

Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-4250

Ref:                  AL-2009.0021

OVERVIEW:

      Mass scanning of networks for the presence of Windows machines infected
      with the Conficker/Downadup worm is now possible thanks to the discovery
      of unique signature an infected machine presents. [1]

      As the Conficker/Downadup worm is due to become active on April 1, this
      discovery provides a far easier way to locate and fix infected machines
      before the activation date.


IMPACT:

      Several network scanning tools have been updated to include the ability
      to scan for the unique fingerprint presented by Windows machines infected
      with the Conficker/Downandup worm. Among them:

      * Nmap [2]
      * Nessus [3]
      * McAfee Foundstone Enterprise [4]
      * nCircle [5]
      * Qualys [6]
      
      Other network scanners and stand alone scanning tools are expected to
      appear shortly with the same capabilities. [7]


MITIGATION:

      Each network scanner works differently but they all posses the same
      information on the Conficker/Downadup network signature. Outlined below
      is the procedure on using the widely deployed tool Nmap to scan for
      infected machines.
 
      ************************************************************************
      *                                                                      *    
      * WARNING - Scanning for the Conficker/Downadup signature does contain *
      * a small risk of crashing Windows computers that have not had the     *
      * MS08-067 [8] patch installed. Please ensure you weigh the risks of   *
      * scanning the network before proceeding.                              *
      *                                                                      *
      ************************************************************************

     * nmap 4.85BETA5 contains the patch to scan for the Conficker/Downadup
       signature. This can be downloaded from the nmap website as either 
       source or precompiled binaries for Windows and Linux. [9]

     * An example command for scanning a network for Conficker/Downadup
       infected machines:

 nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d -oA conficker_scan <target ip range>

     * Other options may also be used such as -PN to skip host up detection.
       This is useful in environments where hosts may not respond to ICMP 
       packets.

     * Once infected machines have been identified, action may be taken to 
       either remove these machines from the network, or attempt to clean them
       using available removal tools. The following vendors have
       Conficker/Downadup removal tools available:

      * F-Secure [10]
      * BitDefender [11]
      * AhnLab [12]
      * ESET [13]
      * Kaspersky [14]
      * McAfee [15]
      * Microsoft [16]
      * Sophos [17]
      * Symantec [18]
      * TrendMicro [19]

      * NOTE: The URL\'s for the removal tools have been linked by IP address
        where possible to help those already infected with Conficker/Downadup
        as the worm will block a majority of domains associated with these
        vendors.


REFERENCES:

       [1] Taming Conficker, The Easy Way - Doxpara Research
           http://www.doxpara.com/?p=1285

       [2] Nmap - Free Security Scanner For Network Exploration & Security
           Audits.
           http://nmap.org/

       [3] Tenable Network Security - Nessus
           http://www.nessus.org/nessus/

       [4] McAfee - enterprise - McAfee Foundstone Enterprise
           http://www.mcafee.com/us/enterprise/products/risk_management/foundstone_enterprise.html

       [5] nCircle
           http://www.ncircle.com/

       [6] Qualys, Inc. - On Demand Vulnerability Management and Policy 
           Compliance
           http://www.qualys.com
 
       [7] Tools, Tools, Tools - Doxpara Research
           http://www.doxpara.com/?p=1291

       [8] AusCERT - AL-2008.0110
           http://www.auscert.org.au/10008
     
       [9] Download the Free Nmap Security Scanner for Linux/MAC/UNIX or 
           Windows
           http://nmap.org/download.html

       [10] F-Secure Malware Removal Tool
            ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip

       [11] BitDefender Removal Tool
            http://66.223.50.102/site/Downloads/downloadFile/1584/FreeRemovalTool

       [12] AhnLab Removal Tool
            http://global.ahnlab.com/global/file_removeal_down.jsp?filename=123718304758%2021&down_filename=v3conficker.zip

       [13] ESET Removal Tool
            http://93.184.71.5/special/EConfickerRemover.exe

       [14] Kaspersky Removal Tool
            http://85.12.57.68:8080/special/KKiller_v3.4.1.zip

       [15] McAfee Removal Tool
            http://67.97.80.71/vil/stinger/

       [16] Microsoft Malicious Software Removal Tool
            http://207.46.192.254/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

       [17] Sophos Removal Tool
            http://www.sophos.com/products/free-tools/conficker-removal-tool.html

       [18] Symantec FixDownadup.exe Notes
            http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
       
       [19] TrendMicro Removal Tool
            http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation\'s site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJ0WuBNVH5XJJInbgRAsmMAJ9wxXQssBF308Kp5wXGGZK7LOVQkACfcXKj
HTnIR6PQdtpra5CX08y6w50=
=QXq4
-----END PGP SIGNATURE-----