Botnets succeed with the basics

An April 1st we thought the Conficker botnet would unload a maelstrom on us. It didn't.

Although many countries recognize this as a day of pranks, Conficker is a worldwide infection and most of its victims couldn't care less about April fool's day. The prank however is starting to become clear to researchers.

Turns out, some of the major variants of the malware are selling people fake security software.(1). Basic social engineering meets a vulnerability that has a patch (MS08-067). In fairness, the vulnerability was once a 0-day (Day zero of vendor awareness), but as of January 2009 many systems remained unpatched(2). For more information please take a moment to read the links below, and visit CVE(3) and working group(4) pages for the infection.

These are the fundamentals we discuss in the CEH class. The variables of any attack will change; the exploit, the access, and the vulnerability. The fundamentals are like a musician learning to play scales. They are basics, they work, and they are still the tune played in every attack.

To scan for conficker, download the latest version of nmap and run the following command:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 IP

(Where IP is the address of the target being scanned.)

Links:

(1) http://www.darknet.org.uk/2009/04/conficker-finally-awakes-dumps-payload/
(2) http://en.wikipedia.org/wiki/Conficker
(3) http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
(4) http://www.confickerworkinggroup.org/wiki/