2009-03-31

Python everywhere: conficker scanner

This article is the first in my new series "Python everywhere".

As this is the first article in this series I would like to explain what the series is all about.
As an avid Python user and developer I want to share my observations whenever I find Python applications doing not-so-unusual things, Python applications running on embedded devices. In the end I want to point out just what the name of this series suggests: Python is everywhere and can be used for everything.

So, straight ahead to the first issue: the conficker scanner.

When reading an article about a detection mechanism for the conficker worm on heise Security [german] I was myself wondering a few things, but wanted to give it a try. So I followed the link to the article Detecting Conficker, by Tillmann Werner. Before clicking the link I was wondering whether I could get this tool running on GNU/Linux using wine, or another method.

After downloading the ZIP file and unpacking it I thought I was dreaming. There were two Python files, along with a COPYING file.
So, even though before having a look at the code I wanted to know the COPYING conditions, and again I saw something unexpected: it's licensed under the GPLv3, great!

As there are some computers running a proprietary operating system from Redmond on this network I immediately gave it a shot. I started the script (scs.py), and after fulfilling its requirements (namely the impacket Python module) I ran it on the local network and it worked without any problems. No conficker found on this network, after all my flatmates have their systems secured - good.

So there you have another use-case for Python: detecting malware over the network.
Kudos should go to Tillmann Werner, not only for this piece of Python code, but also for his work on the honeynet project and, together with Felix Leder, the great analysis of conficker. Keep up the good work, and thanks for proving Python can also be used for this task.

No comments:

Post a Comment