Wednesday, April 1, 2009

Customd Detection and Removal Tool

A big april fool worm was setup to be activated today, but it seems that the worm get many security expert disappointed. There are no major havoc caused by this worm yet (at least at the time of writting this blog 12:05 GMT).

For those who suspect their PC is infected with this machine, the easiest way to find out is by visiting some security related websites for example:

  • www.symantec.com
  • www.microsoft.com
  • www.macfee.com
  • www.f-secure.com
and etc.

Conficker/Downadup was designed to block the infected machine from visiting these security websites to prevent victims to find solution to remove this worm. For more technical details on how it prevents from visitng the websites (hooking the Windows API DnsQuery from dnsapi.dll) :

http://mtc.sri.com/Conficker/addendumC/ <-- This is so far the most consolidated analysis that I have ever seen :) The following website is the consolidated methods of detection and removal for Conficker/Downadup from dShield:


http://www.dshield.org/diary.html?storyid=5860


Using Nmap to Perform Conficker Test

I was attracted by the new Nmap scanning features which include the script to scan your network to test if you are infected with the Conficker, thanks to Honeynet Project (Tillmann Werner and Felix Leder) :D

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [host]

typical scan result for infected machine:

Host script results:
| smb-check-vulns:
| MS08-067: FIXED
| Conficker: Likely INFECTED
|_ regsvc DoS: VULNERABLE

The testing was done using Nmap4.85BETA6

Signing off
~x9090

2 comments:

Lim Fang-Yin said...

My colleague's pc was infected by Conficker somewhere in February.
He said by running netstat will reveal that the pc is trying to establish connection to all known hosts in the network, thus exhausting available ports.

Btw, nice blog you have here.

x9090 said...

Thanks for the comment!

Yeah, once the PC is infected with Conficker, it will constantly send specially crafted RPC packets over TCP 445 to find any vulnerable machine. This is one of its spreading methods.

The only way to remove this is to depend on those custom removal tools as those AV cannot remove it successfully even though they can detect.

I found this useful to prevent spreading of worm though some will suggest to install portable AV on your flash drives which I think is troublesome:

http://milw0rm.com/papers/314

Basically the idea of this article is to change the autorun.inf to "unaccessable". I found that it can be easily removed when you attach it to *nix machine. Nevertheless, it is still useful to prevent spreading of worms on Windows.

Enjoy!!

Signing off
~x9090