Security researchers have discovered a way to identify
any network attached computer that has been infected with
theConficker worm.
Until now, IT departments have had no way of telling which
computers in their networks have been patched with the genuine
Microsoft patch.
Conficker hides its presence by making infiltrated computers
appear to have been patched, but now researchers have identified
other tell-tale signs.
"Conficker actually changes what Windows looks like on the
network, and this change can be detected remotely, anonymously and
quickly. You can literally ask a server if it is infected with
Conficker, and it will tell you,"
Dan Kaminsky, director of penetration testing at IOActive, who
worked with The Honeynet
Project, wrote in a
blog posting.
The Honeynet Project's Tillmann Werner and Felix Leder have
their own proof of concept scanner, and with the help of Securosis'
Rich Mogull and the multivendor
Conficker
Working Group, enterprise-class scanners should already be out
from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle and Qualys,
said Kaminsky.
The
Conficker worm, also known as Downadup, exploits a bug in the
Windows Server service used by Windows 2000, XP, Vista, Server 2003
and Server 2008.
The worm has spread to an estimated 10 million computers
worldwide, exploiting the Windows vulnerability to disable the
operating system update service and security centre, including
Windows Defender and error reporting.
"The Conficker scanning tool helps people to identify systems
currently infected with Conficker so they can take action to clean
them. This tool is another way the Conficker Working Group is
working to help protect internet users from Conficker," said a
Microsoft spokesman.