Conficker C and friends – Defeating worms with architecture

Conficker C and friends – Defeating worms with architecture

Win32 Conficker C
The first line of technical defense against any computer intrusion is the architecture of the network infrastructure that the computer is connected to. The fact that worms like Conficker are so successful in their metastasis is “in your face” proof of just how insecure today’s IT Infrastructures are. If they weren’t so insecure then these worms would have a minimal impact. What’s even more interesting is that worms are “dumb” and people can’t seem to keep them out of their networks, so what are people going to do when hackers come knocking?
In simple terms a worm is little more than a dumb, self replicating, repeating computer program that uses some mechanism (network, usb sticks, etc) to send copies of its self to other computer systems. A worms survival hinges on its ability to communicate with other computer systems and on its ability to gain entry into new uninfected computer systems. If it can’t do one or the other then it can’t spread and it will eventually die. If it can do both with relative success then it will likely survive for some time. The more hosts that a worm infects, the more potential hosts it can infect assuming that its method of gaining access isn’t patched before the host is infected.
With that said, the not so obvious but highly effective way of defending against worms is to undergo an Advanced Penetration Test. The reality is that worms and hackers use the same techniques for gaining access to networked infrastructures. The primary difference is that a worm only has one method of attack and is restricted by its programming while a hacker is unrestricted and has many methods of attack. Therefore it is reasonably safe to say that if your network can stand up to an Advanced Penetration Test, then it can also resist a worm.
Lets use the Conficker C worm as an example of what I am talking about. On April 1st the Conficker C worm will enter its Domain Generation Algorithm. It will go out and download a new command and control file over HTTP, install that file, and then do god knows what. Conficker C is dependent on most networks allowing unrestricted outbound HTTP access.
In the last penetration test we (Netragard) did my team used a PDF document infected with a payload that was designed to establish an outbound connection back to our office over HTTP. Specifically, the PDF docment contained an exploit for a vulnerability in Adobe Acrobat. When the document was opened it injected connect back shellcode into memory of the victim’s computer system. That computer system then established a connection back to us over HTTP and we were able to tunnel back in over that connection to gain control over the victim’s system and eventually the network.
As a step toward remedation we recommended to our customer that they only allow authenticated and authorized outbound HTTP and HTTPS connections. They took that recommendation to heart and implimented controls to prevent those unauthorized connections. An unforseen result of our services is that our customer’s network disrupts Conficker’s communications channel. (Conficker relies on unrestricted oubound HTTP). Now, even if they have infected nodes on their network, those nodes will not be able to establish outbound HTTP connections to the command and control servers.  Conficker on their network is mostly disarmed.

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Divider
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Divider
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Divider
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.