Conficker can no longer hide in the network


Conficker can no longer hide in the network

Warwick Ashford

Security researchers have discovered a way to identify any network attached computer that has been infected with the Conficker worm.

Until now, IT departments have had no way of telling which computers in their networks have been patched with the genuine Microsoft patch.

Conficker hides its presence by making infiltrated computers appear to have been patched, but now researchers have identified other tell-tale signs.

"Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously and quickly. You can literally ask a server if it is infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive, who worked with The Honeynet Project, wrote in a blog posting.

The Honeynet Project's Tillmann Werner and Felix Leder have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle and Qualys, said Kaminsky.

The Conficker worm, also known as Downadup, exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008.

The worm has spread to an estimated 10 million computers worldwide, exploiting the Windows vulnerability to disable the operating system update service and security centre, including Windows Defender and error reporting.

"The Conficker scanning tool helps people to identify systems currently infected with Conficker so they can take action to clean them. This tool is another way the Conficker Working Group is working to help protect internet users from Conficker," said a Microsoft spokesman.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy