Researchers release more Conficker tools and detection methods
by Steve Ragan - Mar 30 2009, 19:25Researchers with the HoneyNet Project have developed a method to discover Conficker infections by using network scanning. The HoneyNet Project’s Tillmann Werner and Felix Leder are expected to release a paper detailing their work for the past five months, but the tools detailed in the paper are available now.
HoneyNet worked with Dan Kaminski, Rich Mogul (who tried to downplay his efforts, in reality Rich helped get vendors on board), Qualys, Nmap, nCircle, McAfee, and Tenable.
The project is a drilldown of Conficker’s profile on a network. The upside is that while the research and tools are aimed at medium to enterprise scale networks, home users can take advantage as well.
“Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you,” Kaminski said.
The research, as mentioned, started about five months ago. However, on Friday and lasting until the early hours of Monday morning, the research team and vendors have worked to add signatures to their products. Each one of them are expected to either have the code ready as you read this, or before the end of business on Monday, March 30.
What this does is give administrators a full 48 hours to test and scan their networks using a simple scan. The HoneyNet Project’s scanner can be found here [ZIP].
The scanner should work on all variants of Conficker, alerting to infection if discovered. The drawback, as with any such tool, is there is no ultimate guarantee it will detect all infections.
For more tools, the entire list of applications described and used in the research paper can be located here.
Considering the growing hype and the massive amounts of speculation surrounding the Conficker Worm, which is due to initiate a new code sequence on Wednesday, these tools and the pending research should help fight the criminal minds behind the infections.
Conficker: The Tech Herald’s index of news and information
Comment on this Story