With all the noise about Conficker turning your computer into liquid hot magma on April 1st, there’s really some positive news. Researchers from the HoneyNet job have been complying with the worm because infections started in late 2008. They just recently found an simple method to determine infected systems remotely. Conficker attempts to patch the MS08-067 vulnerability during infection. A flaw in the patch triggers the device to respond in a different way than both an unpatched system as well as an officially patched system. utilizing this knowledge, the team established a proof of idea network scanner in python to discover infected machines. You can discover it in [Rich Mogull]’s preliminary post. [Dan Kaminisky] has packaged it as an EXE as well as has directions for exactly how to develop the SVN version of Nmap, which includes the new signature. other network scanner vendors are adding the code as well.
In conjunction with this detection code, the team has likewise released the whitepaper understand Your Enemy: containing Conficker. It discusses methods to detect, contain, as well as eliminate Conficker. They’ve integrated this with a tool release that covers Conficker’s dynamic domain generation among other things.