Comments on: Conficker beFUDdlement http://www.digitalbond.com/index.php/2009/04/01/conficker-befuddlement/ This Month in Control System Security Fri, 30 Jul 2010 09:35:51 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: stephan beirer http://www.digitalbond.com/index.php/2009/04/01/conficker-befuddlement/comment-page-1/#comment-11570 stephan beirer Fri, 03 Apr 2009 09:28:25 +0000 http://www.digitalbond.com/?p=3074#comment-11570 If you are monitoring your firewall between the worlds of control systems and 'traditional' IT you will probably detect Conficker C activity due the ICMP backscatter noise caused by the worm's P2P module scanning for potential peers.. a nice example how simple anomaly detection, i.e. monitoring for unusal activity can improve security.. If you are monitoring your firewall between the worlds of control systems and ‘traditional’ IT you will probably detect Conficker C activity due the ICMP backscatter noise caused by the worm’s P2P module scanning for potential peers.. a nice example how simple anomaly detection, i.e. monitoring for unusal activity can improve security..

]]> By: Adriel Michaud http://www.digitalbond.com/index.php/2009/04/01/conficker-befuddlement/comment-page-1/#comment-11568 Adriel Michaud Thu, 02 Apr 2009 14:18:06 +0000 http://www.digitalbond.com/?p=3074#comment-11568 Port 135 is one of the ports used for DCOM and remote OPC connections. Unless you're using tunnelling software like MatrikonOPC Tunneller, you probably have that port open and you might even have your firewall turned off. Port 135 is one of the ports used for DCOM and remote OPC connections. Unless you’re using tunnelling software like MatrikonOPC Tunneller, you probably have that port open and you might even have your firewall turned off.

]]> By: Matthew Franz http://www.digitalbond.com/index.php/2009/04/01/conficker-befuddlement/comment-page-1/#comment-11567 Matthew Franz Thu, 02 Apr 2009 12:47:16 +0000 http://www.digitalbond.com/?p=3074#comment-11567 Although Nessus has an even more checkered past WRT control systems than, the updated Nessus Conficker plugin can make use of credentials so has the *potential* to be safer if configured properly and a credentialed check can result in fewer packets sent on the wire and more accurate results. See http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html and https://discussions.nessus.org CAVEAT: I work for Tenable and obviously all the usual cautions about active scanning of critical networks applies. Although Nessus has an even more checkered past WRT control systems than, the updated Nessus Conficker plugin can make use of credentials so has the *potential* to be safer if configured properly and a credentialed check can result in fewer packets sent on the wire and more accurate results.

See http://blog.tenablesecurity.com/2009/04/updated-conficker-detection-plugin-released.html and https://discussions.nessus.org

CAVEAT: I work for Tenable and obviously all the usual cautions about active scanning of critical networks applies.

]]> By: Ralph Langner http://www.digitalbond.com/index.php/2009/04/01/conficker-befuddlement/comment-page-1/#comment-11565 Ralph Langner Thu, 02 Apr 2009 08:38:35 +0000 http://www.digitalbond.com/?p=3074#comment-11565 Daniel, you are getting me confused here. Nmap? The killer? Nmap is infamous as the ultimate attack weapon that brought down more control systems than all worms and viruses combined (followed by ping). A serious attacker would not waste nights in his den to come up with something of questionable chances for success like Conficker. He would just fire up the trusty old Nmap and do an aggressive scan for a sure kill. Ok, that might not get him into the news, but that's a different story... (Sorry, it was just TOO tempting...) :-) Daniel, you are getting me confused here. Nmap? The killer? Nmap is infamous as the ultimate attack weapon that brought down more control systems than all worms and viruses combined (followed by ping). A serious attacker would not waste nights in his den to come up with something of questionable chances for success like Conficker. He would just fire up the trusty old Nmap and do an aggressive scan for a sure kill. Ok, that might not get him into the news, but that’s a different story…

(Sorry, it was just TOO tempting…) :-)

]]> By: kowsik http://www.digitalbond.com/index.php/2009/04/01/conficker-befuddlement/comment-page-1/#comment-11564 kowsik Thu, 02 Apr 2009 04:38:42 +0000 http://www.digitalbond.com/?p=3074#comment-11564 The nastiest part about this worm (unlike slammer) is that it's not static. Every aspect of this worm can change over time mainly because it has the ability to update itself from one of the gazillion domain names and do a signed download. That means the list of passwords it tries can change and so can other things. At least for now, we know (from Kaminsky's work) how to fingerprint an infected machine. Quickly deinfect before the worm authors figure out how to hide this fingerprint with another update. The nastiest part about this worm (unlike slammer) is that it’s not static. Every aspect of this worm can change over time mainly because it has the ability to update itself from one of the gazillion domain names and do a signed download. That means the list of passwords it tries can change and so can other things. At least for now, we know (from Kaminsky’s work) how to fingerprint an infected machine. Quickly deinfect before the worm authors figure out how to hide this fingerprint with another update.

]]>