Security researchers have developed a new tool that can scan the company network and remotely detect machines infected with the Conficker worm.
A proof-of-concept scanner was released by the Honeynet Project, a non-profit security research organization. The tool is also being made available on many network scanning vendor tools: Tenable (Nessus), McAfee/Foundstone, Nmap, nCircle and Qualys.
calls next Conficker variant 'manageable': The next version of Conficker expected April 1,
should be treated like any other malware attack, Microsoft said in a message to customers.
Conficker botnet ready to be split, sold: Conficker's peer-to-peer update method allows the owner to sell pieces of the botnet to the highest bidder, experts say.
Microsoft offers $250K bounty for Conficker writer: It's not the first time the software giant issued a reward for information leading to the arrest and conviction of a virus writer.
The tool was designed by Tillmann Werner and Felix Leder of Honeynet. The two researchers have been working with network security expert Dan Kaminsky, director of penetration testing for security firm IOActive Inc., to study Conficker's profile on the network. Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC, is helping coordinate the release to network scanning makers. A technical paper describing their research is due out later this week.
The tool uses a flaw in the modified MS08-067 patch Conficker deploys to shield infections from system administrators and guard against other cybercriminals attempting to exploit the Microsoft vulnerability. The researchers that designed the tool said the window of opportunity to run the scan could close quickly if Conficker's author updates the modified patch to correct the issue.
"We need to outrun the bad guys this time," Mogull said. "We have an opportunity but now we have to execute on that opportunity fairly quickly."
Until now, detecting Conficker was a time consuming process. Tools are available to detect the worm on individual machines.
Mogull said the tool currently detects all Conficker variants and will be updated once feedback is received. An NAC vendor is also adding the feature to its product to detect infections on devices prior to connecting to the network, Mogull said.
The Conficker/Downadup worm started spreading in October, exploiting a Microsoft remote procedure call (RPC) zero-day vulnerability. Microsoft released an emergency out-of-band patch,but infections continued to spread globally reaching as many as 10 million machines at its peak.
Security experts are keeping their eye on the next iteration of Conficker/Downadup. Beginning April 1, the worm is expected to draw 500 domains from 50,000 domain names generated per day instead of 250 domains it selected with previous versions. It also has a peer-to-peer (P2P) mechanism to update other Conficker infected machines.