[Openvas-discuss] [Openvas-plugins] Conficker worm detection -OpenVAS plugins

Chandrashekhar B bchandra at secpod.com
Wed Apr 1 07:47:55 CEST 2009


> *snip*

>> to detect patch condition of MS08-067. The plugin 900055 requires SMB
>> credentials and verifies if the required hotfix is installed through
>> Windows Registry and verifying the updated file versions. The plugin
900056
>> is a Proof of Concept exploit that tries to crash the server service
>> (safe_checks has to be disabled). This can work on anonymous login
>> credentials if the target system allows anonymous login (Windows 2000 by
>> default allows anonymous login). The plugin checks the RPC response
status
>> of an un-patched system.

> This is all true but it doesn't really go far enough since it only looks
for 
> the original vulnerability and not Conficker.  I started working on a
check 
> for Conficker last night and got someway before I noticed a glaring
problem 
> but nothing which at this stage is complete.  I've attached the plugin in 
> rough form here if anyone wants to take it up.  


We'll try and test this on Win2K and XP systems. I think slight
modifications to the request to ntrPathCanonicalize. Unless the target
system allows, is there a means to check the system anonymously? Other
scanners seem to claim that detection is anonymous. I couldn't think of a
way. 

I was looking at writing a NASL to directly check for Conficker infected
systems through registry or files etc., but there looks to be too much of
randomness in the worm's behavior.


> The problems I've had so far 
> is the lack of support for non-clear text authentication in the OpenVAS
SMB 
> implementation which is limiting my ability to test here, as I only have 
> 2003/Vista systems to play with.  I've diverted to start working on that
and 
> will be sending another email shortly to openvas-devel regarding this.  

The current smb_nt.inc only provides clear text based authentication.
nasl_crypto was removed from the Nessus and I think re-introduced in a
different form. Hence the proposal to integrate Samba to get NTLM based
auth. However, introducing the crypto code would be very useful as it is
very difficult to achieve the SMB packet crafting facility through SAMBA
exposed API's. The only issue introducing crypto functionality would be to
keep it updated as the changes in the OS comes in. Another difficulty is
when the target OS enforces SMB signing and encryption, need to support this
as well.

Thanks,
Chandra. 

www.secpod.com




More information about the Openvas-discuss mailing list