Inspiration & Genius – One and the Same

Detecting Conficker using Core IMPACT Pro

Written by Steve Shead on April 1, 2009 Leave a Comment

- thanks to Alex Horan from Core Security for help with this post:

We all know that IMPACT Pro can be used to identify machines that are vulnerable to MS08-067 by safely exploiting the vulnerability (and in the process by passing any network and local IPS and other protections in place). But if the machine is already compromised by Conficker then we know that it will no longer be exploitable because the Conficker worm applies an in memory patch to prevent MS08-067 from being exploited on that box (in the “it’s my box now and no one else can play with it’ school of thought.

Felix Leder and Tillmann Werner of the Honeynet Project released a paper (https://www.honeynet.org/files/KYE-Conficker.pdf) that talks about Conficker and in one section has details on how to detect if Conficker has infected a machine. The developers at Core Security Technologies has used that work to create a module that runs inside of Impact and identifies remotely if the machine has had the Conficker in memory patch applied (and therefore has been compromised by Conficker).

How does it work?

Quite simply as it happens, I simply open up a new workspace (or save a little time and use a workspace that already has information about the machines I am interested in checking for the presence of Conficker.

I then go to the Misc folder in what is called the Modules View (effectively a view that allows me granular control over what specific modules or actions I want to perform) and open up the ‘Conficker Detection’ module. Like most modules in IMPACT Pro I could drag and drop this onto a machine or group of machines, but I am going to show how to use the Entity Selection dialog box to specify the targets.

Entities Selection

When the module is open I select the ellipsis button next to the TARGET parameter.
In the Entities Selection dialog I have grouped systems by OS and am going to have the module check my entire set of Windows machine for me.

Entities Selection

The module runs against each targeted machine, for each machine it connects to exposed dcerpc endpoints and fingerprints them to determine if the machine has been compromised by Conficker. When it is done it will report back to me which machines we identified as being infected by Conficker (and any that it was unable to get any endpoint information from).

If it has I get to see this information in the following places:

•    The Module Output
•    The Module Log
•    The Host Report
•    The Vulnerability Report

For me, I simply created a macro that does the following:

•    Asks me for an IP address (or Addresses)
•    Performs Information Gathering against those machines
•    Runs the Conficker Detector against those machines
•    Runs the Vulnerability Report

I just start the macro and walk away, when I come back there is the Vulnerability report showing me all the machines that have been identified as having been compromised by Conficker.

Posted in Tech | Tagged , , , , , ,

Leave a Reply

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

«
»

Genesis Framework

Genesis Framework for WordPress

Studiopress Themes

Scribble Theme - A Beautiful Frame For Your WordPress Website

Advertisements