MSI is proud to announce the instant availability of a LINUX ONLY HoneyPoint GUI tool to capture Conflicker scans and probes.
Conflicker is a significant threat and is expected to wreak havok on April 1, 2009. You can find a ton of information about Conflicker here from various vendors via SANS.
The HoneyPoint Special Edition: Conflicker runs in Linux and is easy to use with just about any LiveCD distro (including Puppy/DSL/gOS, etc.) and should make it easy for organizations to monitor their network spaces with a scattersensing approach. We chose not to release an OS X version to avoid issues with root authentication and Windows was not possible, since the detection requires binding to port 445/TCP which Windows uses for CIFS.
This application is our attempt to help organizations around the world defend themselves and their assets against this bleeding edge threat using rational, safe and effective detection mechanisms at the network level.
You can download the zip file from here.
Please let us know your thoughts.
How do we use this, are there any instructions? Details on what it does?
I saw your blog post. Thanks for the feedback. I should have included a readme.
Basically, you execute the application as root on a Linux box (preferably one without Samba) (a LiveCD such as Puppy Linux will also work). The instructions for it’s use are in the How To: window of the application, but you just click start and the application will dilate port 445/tcp with a HoneyPoint listener. Then you wait for probes to arrive from conficker scans and the app will log the source IP addresses to the log window. Treat all source IP addresses as infected hosts and investigate them in accordance with your site’s security policy.
Let me know if you have other questions. Good hunting!
Does it simply scan your LAN, or can it be told to look at a WAN port?
Neither. The tool is not a scanner, it is a honeypot for capturing incoming probes from Conficker compromised hosts.
Once the worm is in control of a system, it uses that system to scan for other victims. The scanning is what this product is aimed at catching.
See http://www.microsolved.com/honeypoint/ to learn more about the basic concepts behind this approach.
Silly question…how can I test this to make sure it is working?
Is this application still available? The download link returns a HTTP 404.
Sorry for the 404, but this tool has now expired. The free version is no longer available, but the trial and a license version is available here that does much more than catch Conficker.
The price for the commercial tool is US $29.95 and available through the Digital River store.