Along with the rise of Swine Flu (Swine Flu) that infect humans and, according to the WHO already at level 4 crunch, airports around the world instantly on alert to monitor the passengers from Mexico and the United States.
If the world were a source of the spread of a computer virus is a virus-infected file, then in the real world, which is infected with the virus and become a means of spreading the virus is human. Because it applying airports scanning passengers suspected of having the flu by using body temperature scanners because people with the flu (of any kind) must have experienced an increase in body temperature because the body reacts to a foreign virus entry. Actually, the principle is the same in the computer world, when airports use the body temperature scanners at the airport are internet routers and applications that are used instead of human body scanners but Firewall. But there is one advantage possessed by the world of IT than the human world (when compared) today, where the human world is not possible (very difficult and expensive) to be able to monitor the whole man in the city and determine who is infected with flu. If the world of IT we can use a special scanner to detect which machines are infected with the virus so it can be anticipated that a quick and effective way to deal with the virus.
After conducting tests on some tools to eradicate Conficker, the next step is the most crucial if you are a network administrator to identify which machines are infected with the virus and tried to spread the virus. Therefore, Vaksincom perform testing for computer tools to detect Conficker infected tissue and attempt to spread to computers in the network. If we just do the cleaning on one computer alone would not be a problem, but what if the infected computer in your network, but you do not know which machine is infected, because computers sometimes infect our network unexpected, such as notebook computers are often taken home by leadership or part that is often foreign service. Moreover, if we convict a particular computer is infected with viruses, of course, we have to have evidence.
Conficker and symptoms (in the network ....).
If the symptoms described earlier mega conficker test on the computer they will be, so this time we have to know the what conficker impact on the network, as follows:
- Tried to download and try out access to 250 domains (Conficker B) or 50,000 domain (Conficker C) are random. Here are some random domains TSB:
- Attempted access to a common domain to check the current time. Some of the domain are:
- This virus is basically trying to make the distribution through the windows share using the default port 445, but other than that Conficker also uses port 1024 s / d 10,000 to make the distribution on a computer network.
The Tools, Conficker Detection Network .
Of several existing tools, Vaksincom do some testing tools that are familiar and frequently used. Tools TSB issued by several security vendors to help facilitate the detection of Conficker attack on your network.
Here are some tools that are available as follows:
Wireshark / Ethereal is one of the many tools Network Analyzer are widely used by network administrators to analyze network performance and also the mainstay tools Vaksinis (Vaksincom technician). Wireshark much preferred because interfaces that use Graphical User Interface (GUI) or a graphic display. Wireshark is able to capture packets of data / information that milling in the network's find out. All types of packet protocols of information in various formats will be easily captured and analyzed. Tools are available in various versions of the OS, such as Windows, Linux, Macintosh, etc..
At the beginning of the emergence and development of Conficker, this tool is the pioneer of the tools used by some security vendors to analyze packets of data / information in a network of Conficker attack. You can download Wireshark on http://www.wireshark.org/download.html.
At the time of installation, pay attention to activate and install the plugin MATE (Meta Analysis Tracing Engine), because it is not activated by default. This plugin can function to filter all data packets of various network protocols in the past. Besides the WinPcap installation process is also included. Perform installation of WinPcap, WinPcap is a driver that is used to read and to filter traffic packet data / information being passed. (See figure 1)
Figure 1, Wireshark in action
Fairly easy to use, when you are running Wireshark, just select the Capture tab and select the Interfaces list. At interfaces capture options, select the appropriate network LAN / Ethernet card and then click the start button. Wireshark also has the ability to scan the computer between segments.
For detection of Conficker, do filter with protocol NBNS (NetBIOS Name Service) then note the info provided, generally NBNS hostname will read the computer but if NBNS read than hostname computers in this case are the domains targeted by Conficker, then they will be a source IP infected computer and trying to deploy and update itself.
- Nmap (Network Mapper)
Nmap (Network Mapper) is a network exploration tool and exclusively into one of the frequently used by network administrators. With our Nmap can perform a search to the entire network and find out what services are active on specific ports. Nmap is one of the most widely used tools for network scanning and renowned as a multi-platform tool, fast and lightweight. Nmap runs on all OS types, both console and graphical mode. Amazingly, not like Wireshark, Nmap scan in MS08-067 vulnerability exploited by Conficker that can help administrators determine that any computer that still has vulnerabilities that can be exploited by Conficker. In addition, Nmap also has an advantage that might make a great network administrator in love, he can perform computer scanning between segments.
The emergence and development of Conficker, Nmap with the help of source code from Tillman Werner and Felix Leder of The Honeynet Project, has released a new version with additional features for the detection of Conficker infected computers. You can download the latest version at http://nmap.org/download.html.
Nmap installation process is pretty easy, just like Wireshark, Nmap also perform the installation of WinPcap (if not already installed). If you have installed WinPcap, usually there will be an error and the installation of WinPcap preferably skip it. (See figure 2)
Figure 2, NMAP is also capable of monitoring the network is not less than Wireshark
For its use, either console or GUI mode, we still use the command command. Use of command to detect Conficker there are 2 ways:
- Scan network with a read port 139 & 445 (faster): nmap-p-T4 139.445 - script p2p-conficker, smb-os-discovery, smb-check-vulns - script-args checkconficker = 1, safe = 1 192.168.1.1/24 (eg IP 192.168.1 network ..)
- Scan the network to read the entire port used Conficker (rather slow): nmap-p - T4 - script p2p-conficker, smb-os-discovery, smb-check-vulns - script-args checkall = 1, safe = 1 192.168.1.1/24 (eg IP 192.168.1 network .)
- Retina Network Security Scanner (Conficker Worm)
Although a bit late and launched before 1 April 2009, as one of the computer security vendors, eEye Digital Security also launched a special and free tools to detect the presence of Conficker in the network. This tool is designed to detect the presence and simultaneously detect Conficker vulnerability windows tsb of Windows Server Service vulnerability (MS08-067). You can download this tool at http://www.eeye.com/html/downloads/other/ConfickerScanner.html.
The installation process is very easy and fast, you simply run the installation file that followed further instructions to complete. (See figure 3)
Figure 3, which is an expert Eeye Windows launches Retina Vulnerability Scanner for Conficker.
For general users, Retina tools from Eeye relatively easier than Wireshark and Nmap, when you run this tool you can directly select the desired target with either a single IP or IP range. If you have, you can directly click the scan button. When it is finished a message box will appear finished sign. Results of the scan are TSB 4 categories:
- Not Tested (usually due to a closed port 445 / disable, so it can not scan)
- Infected (Conficker infected computers detected)
- Patched (computer clean and already in patch MS08-067)
- Vulnerable (clean computer but not in the patch, prone infected Conficker)
Unfortunately this tool only read ports 139 and 445, so it is very difficult if the computer is infected they will not activate port (File and Printer Sharing). Furthermore, the Retina can not perform scanning between segments and also does not monitor the port 1024 10.000 exploited by Conficker.
4) SCS (Simple Conficker Scanner)
Simple and sophisticated tools made Tillman Werner and Felix Leder of The Honeynet Project, which was launched at the beginning of Vaksincom widely used by ISPs to detect IP IP Indonesia Conficker infected this be a reference to some vendors to create similar tools. They make tools conficker network scanner of the Python language and its later published the source code freely. Recorded several vendors such as Nmap, Foundstone and eEye using source code which is then compiled and used as tools plugin for each vendor used to detect conficker. Tools can be downloaded at the address http://www.4shared.com/get/95921961/d7727fab/scs.html.
SCS does not need to be installed, you just need akstrak the folder / drive that you specify only. But you need to run the SCS install Nmap. This is because SCS requires driver monitoring packets of data. (See figure 4)
Figure 4, Simple Conficker Scanner is simple but sophisticated
To use, SCS using console mode or command prompt. At the command prompt mode, move the folder scs then type the following command:
scs [IP_Awal] [IP End], example: C: \ scs> scs 192.168.1.1 192.168.1.255
Just like Retina, SCS just read ports 139 and 445 only.
5) Conficker Detection Tool (MCDT)
Through one of its divisions, namely Foundstone, McAfee released a participating network tools to detect the presence of conficker. Tools are also used source of Tillman Werner and Felix Leder of The Honeynet Project, a development of the team Foundstone designed to detect the presence of Conficker-infected computers, and has been published for free. You can download the http://www.mcafee.com/us/enterprise/confickertest.html address.
This tool does not need to be installed, you only need to extract the directories / drives you specify only. (See figure 5)
Figure 5, Conficker Detection Tool in action
Was fairly easy to use, when you run this tool you can directly select the desired target range. You can even scan if there are multiple network segments on your computer, it is not contained in the Retina. But unfortunately this tool does not perform checks on the MS08-067 vulnerability that Conficker exploits such as Nmap and Retina. Unlike the retina, this tool has three categories namely the scan results:
- Infected (Conficker infected computers)
- Not infected (infected computer is clean or not)
- Not tested (usually due to a closed port 445 / disable, so it can not scan)
Just as Retina and SCS, this tool is read only ports 139 and 445 (File Printer Sharing) and do not monitor the 1024 port 10000 which exploited by Conficker.
Comparison of the results .
Of some of the tools they will be, we want to review and make its comparison table as follows:
From the results of tests performed by the lab Vaksincom, it appears that there is no perfect tool. Each of these tools has advantages and disadvantages of each. Nmap despite having the most complete feature but has a weakness in the use of which still use the command and scan speeds were slower than other tools. While MCDT is a very simple tool without installation and scan quickly enough can have the disadvantage of not function properly if port 445 is closed / disable (File and Printer Sharing in non-disabled) and is not tested in the MS08-067 vulnerability exploited by Conficker .
Source : http://vaksin.com/