Monday, March 30, 2009

Researchers release PoC tools to find Conficker

| Brett D. Arion |
Released on Dan Kaminski's site today, was a Proof of Concept scanner to help people scan networks for the presence of the Conficker worm. Kaminski working with the Honeynet Project's Tillmann Werner and Felix Leder, have discovered that the worm actually changes the way that Windows looks on the network. What they found is that this allows anyone to ask the servers/systems on the network remotely, or anonymously if they are infected, and the systems will respond if they have been infected. The code has been released in python scripts as well as ported to a windows binary by Kaminski, and can be located at te link below.

Conficker Scanner PoC

In addition, it appears as if some of the Commercial security providers are actually joining in on the detection of the worm. Per Kaminski's site, "with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys".

Given the hype of the anticipated April 1st event where the worm begins searching for updates, many are starting to wonder if this is an elaborate April Fools joke or if in fact it is real. Either way, it is highly recommended to ensure that all of your systems are patched, and run either the PoC code, or the Enterprise Class code avialable from the companies mentioned. There will be plenty of systems not updated that will continue to propogate the worm. In addition, given the discovery of the worm, it is expected that other malicious entities will begin to exploit the "openness" of Conficker to propogate their own maleware.

Free Security Magazines