Security researchers have discovered a way to identify any network attached computer that has been infected with...
the Conficker worm.
Until now, IT departments have had no way of telling which computers in their networks have been patched with the genuine Microsoft patch.
Conficker hides its presence by making infiltrated computers appear to have been patched, but now researchers have identified other tell-tale signs.
"Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously and quickly. You can literally ask a server if it is infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive, who worked with The Honeynet Project, wrote in a blog posting.
The Honeynet Project's Tillmann Werner and Felix Leder have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle and Qualys, said Kaminsky.
The Conficker worm, also known as Downadup, exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008.
The worm has spread to an estimated 10 million computers worldwide, exploiting the Windows vulnerability to disable the operating system update service and security centre, including Windows Defender and error reporting.
"The Conficker scanning tool helps people to identify systems currently infected with Conficker so they can take action to clean them. This tool is another way the Conficker Working Group is working to help protect internet users from Conficker," said a Microsoft spokesman.