News Stay informed about the latest enterprise technology news and product updates.

Conficker flaw yields new tool for detection

A flaw in the way Conficker infects machines has given security experts the ability to design a new tool to remotely detect infections over the network.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

Security researchers have developed a new tool that can scan the company network and remotely detect machines infected with the Conficker worm.

A proof-of-concept scanner was released by the Honeynet Project, a non-profit security research organization. The tool is also being made available on many network scanning vendor tools: Tenable (Nessus), McAfee/Foundstone, Nmap, nCircle and Qualys. 


Microsoft calls next Conficker variant 'manageable': The next version of Conficker expected April 1, should be treated like any other malware attack, Microsoft said in a message to customers. 

Conficker botnet ready to be split, sold: Conficker's peer-to-peer update method allows the owner to sell pieces of the botnet to the highest bidder, experts say.
Microsoft offers $250K bounty for Conficker writer: It's not the first time the software giant issued a reward for information leading to the arrest and conviction of a virus writer.

The tool was designed by Tillmann Werner and Felix Leder of Honeynet. The two researchers have been working with network security expert Dan Kaminsky, director of penetration testing for security firm IOActive Inc., to study Conficker's profile on the network. Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC, is helping coordinate the release to network scanning makers. A technical paper describing their research is due out later this week.

The tool uses a flaw in the modified MS08-067 patch Conficker deploys to shield infections from system administrators and guard against other cybercriminals attempting to exploit the Microsoft vulnerability. The researchers that designed the tool said the window of opportunity to run the scan could close quickly if Conficker's author updates the modified patch to correct the issue.

"We need to outrun the bad guys this time," Mogull said. "We have an opportunity but now we have to execute on that opportunity fairly quickly."

Until now, detecting Conficker was a time consuming process. Tools are available to detect the worm on individual machines.

Mogull said the tool currently detects all Conficker variants and will be updated once feedback is received. An NAC vendor is also adding the feature to its product to detect infections on devices prior to connecting to the network, Mogull said.

The Conficker/Downadup worm started spreading in October, exploiting a Microsoft remote procedure call (RPC) zero-day vulnerability. Microsoft released an emergency out-of-band patch,but infections continued to spread globally reaching as many as 10 million machines at its peak.

Security experts are keeping their eye on the next iteration of Conficker/Downadup. Beginning April 1, the worm is expected to draw 500 domains from 50,000 domain names generated per day instead of 250 domains it selected with previous versions. It also has a peer-to-peer (P2P) mechanism to update other Conficker infected machines.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.