Home > Security > Taming Conficker, The Easy Way

Taming Conficker, The Easy Way

We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out.  Maybe they don’t have to:  I’ve been working with the Honeynet Project’s Tillmann Werner and Felix Leder, who have been digging into Conficker’s profile on the network.  What we’ve found is pretty cool:  Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly.  You can literally ask a server if it’s infected with Conficker, and it will tell you.  Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis‘ Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys.

We figured this out on Friday, and got code put together for Monday.  It’s been one heck of a weekend.

The technical details are not complicated — Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version — but I’ll let Tillmann and Felix describe this in full in their “Know Your Enemy” paper, due out any day now with all sorts of interesting observations about this annoying piece of code.  (We didn’t think it made sense to hold up the scanner while finishing up a few final edits on the paper.)

Categories: Security
  1. April 1, 2009 at 7:22 am

    I have noticed that the main problem is for infected computers. These computers can’t get to the scanning or removal tools because the worm prevents them from doing it. The only solution I have heard so far is to have a friend with a computer that isn’t infected download the tool for you and provide it to you through email or some other form.

  2. Dozzyjean Dozie
    April 1, 2009 at 7:42 am

    It looks the name implied confiker has put allot of research in to busy mode,that is great i love when the master keep on getting busy at all time,great research out their keep it up, and for the bad guys the author of conficker, keep ur’s up too,it great having you on board,without you i don’t thinks their will be any sign of progress at all,you know it is amazing when one man shack the world globally it is really impressing,in all your doing men please always know the future always lies on how well you try to correct the wrongs around you for a better tomorrow just look into the eyes of a little child,what future do you really have for them Mr conficker please try to provide a patch.

  1. March 31, 2009 at 7:12 pm
  2. March 31, 2009 at 10:21 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: