indexphinger

Lets kick Conficker's ass!

60 posts in this topic

Wow.

Judging from the fact that writing exploits is part of legitimate research for security firms, writing them shouldn't be illegal. I'd have to say using them on any gear other than your own is and should be, however writing them and testing them is a necessary part of vulnerability confirmation:

If you discover a vulnerability in code, you are not 100% sure its vulnerable until you have written a test exploit. Even though this may only

echo "I am vulnerable" back to the attacker, you've gotta do it as a researcher. Just part of life.

Secondly, while I agree that viruses, released into the public, are both hazardous and problematic, and that releasing them, to the public,

should be highly illegal:

Many distributed computing systems and artificial intelligence research machines have very worm like properties about the way they

distribute themselves across a network. Technically because certain behavioral patterns and codes are being copied and quantified,

this too can be considered a virus. As a result, I /don't/ think that /writing/ anything should be illegal, simply deploying it into an environment

which can allow it to affect anything outside of your own network should be strictly prohibited (and right now, as I see it, is).

In any case, no one likes conficker, and if you're a researcher with /that much/ time on your hands, it might be worth the $250k to analyze and trace.

Nmap has also made it somewhat easy to pinpoint infected machines. Does have some patch detection bugs though ;)

0

Share this post


Link to post
Share on other sites

Hey guys, I just found out something.

I was looking up Conficker A on Wikipedia and found out that it downloads files from "trafficconverter.biz "

I'm almost 99% sure this is fake, so someones defending them. I was thinking we could do an IP check

on this website, find out the IP and locate 'em. If it isn't real, then it would be a nice idea to find out who

gave them this information and gradually find out about the sender more. What occured to me was, What

if these different types of Confickers are hosted onto different computers, with different IPs, somewhere

half way across the globe from here? Our best lead, in my opinion, is the Conficker A.

To place it flatly:

We use Wikipedias information to track down the host of Conficker A.

0

Share this post


Link to post
Share on other sites
Hey guys, I just found out something.

I was looking up Conficker A on Wikipedia and found out that it downloads files from "trafficconverter.biz "

I'm almost 99% sure this is fake, so someones defending them. I was thinking we could do an IP check

on this website, find out the IP and locate 'em. If it isn't real, then it would be a nice idea to find out who

gave them this information and gradually find out about the sender more. What occured to me was, What

if these different types of Confickers are hosted onto different computers, with different IPs, somewhere

half way across the globe from here? Our best lead, in my opinion, is the Conficker A.

To place it flatly:

We use Wikipedias information to track down the host of Conficker A.

You're on the wrong path, but its okay I like the way your approaching it though. We're talking about Conficker variant C. Also they're constantly spawning new domains to stay anonymous. If it was as simple as whois'ing some IP address they would be behind bars by now. Keep up with the productive mindset though.

0

Share this post


Link to post
Share on other sites

I suggest you guys first of all set yourself some kind of workflow or progress plan before you actually approach the problem.

Here's my prototype:

1. Read about the spreading and control mechanisms of the latest conficker revision

SecurityFocus

Milw0rm

Security researchers' blogs

Google

Wikipedia

2. Get a sample of the virus (hard part)

3. Isolate it on a VM

4. Start working:

Unpacking

Reverse engineering

Extracting socket data

Monitoring file-system, registry, sockets, and outbound sniffing.

Decrypting the ip address or (hopefully) sniffing it - I'd expect connections to fake hosts too so try to filter out the real one

5. After you got the host:

whois \ ping \ traceroute \ portscan \ nslookup

Google

Try finding and exploiting known vulnerabilities on services running on the server

Connect from different clients to virus' port with identical requests to the original virus

Test buffer overflows and format string vulnerabilities by modifing the original request (big chance host is vulnerable, problem is to get exact bufsize and OS)

6. Install a backdoor and perform file and network analysis on the server.

Locate, download and analyze the server executable and other suspected stuff as explained above.

7. Get address of the next server in the chain.

8. Once you get to root the server, repeat again steps 5-7 until the chain ends

9. Report to MS

10. Live happily ever after

How's that for a prototype?

0

Share this post


Link to post
Share on other sites
How's that for a prototype?

Sounds good... except remember (once again) that there are professional security researchers (Ph.D.'s) who have full-time jobs just doing exactly this kind of research, and have far more resources than all of us put together. Not to hate on grassroots efforts or the "little guy"... but if the hardcore professionals aren't making much headway, I would say that the rest of us commoners probably don't have much hope to do any better.

0

Share this post


Link to post
Share on other sites
How's that for a prototype?

Sounds good... except remember (once again) that there are professional security researchers (Ph.D.'s) who have full-time jobs just doing exactly this kind of research, and have far more resources than all of us put together. Not to hate on grassroots efforts or the "little guy"... but if the hardcore professionals aren't making much headway, I would say that the rest of us commoners probably don't have much hope to do any better.

Now, why would you replace their nice fantasy with hard reality? Kind of harsh, don't you think? And I was finding the "hunt" so entertaining... ;)

0

Share this post


Link to post
Share on other sites
How's that for a prototype?

Sounds good... except remember (once again) that there are professional security researchers (Ph.D.'s) who have full-time jobs just doing exactly this kind of research, and have far more resources than all of us put together. Not to hate on grassroots efforts or the "little guy"... but if the hardcore professionals aren't making much headway, I would say that the rest of us commoners probably don't have much hope to do any better.

Now, why would you replace their nice fantasy with hard reality? Kind of harsh, don't you think? And I was finding the "hunt" so entertaining... ;)

All we need is someone who works at a patent office with a little spare time on their hands ^_^

Just because someone may be the "little guy" doesnt mean that they wont find something new.

0

Share this post


Link to post
Share on other sites

I currently have Conficker trapped on a isloated drive.

\Will post more about my findings at a further time.

Edited by Obika
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now