Conficker: What Now?

By Jason Brooks  |  Posted 2009-03-31 Print this article Print


What Now?

Beyond the RPC vulnerability that got Conficker cooking, later variants of the worm added the capability to propagate through network shares and over infected USB memory sticks by taking advantage of Windows' Autorun functionality. Also, once Conficker has successfully rooted itself on a machine in your network, the malware will attempt to spread to other machines on the network by launching a dictionary-based attack to guess log-ins and passwords.

As a result, even assuming that you've long ago applied the Microsoft patches to block the Windows service vulnerability, it's important to keep watch for Conficker on your network.

Most security suites are prepared to detect and remove instances of the worm, but it's also worth checking out the set of six Conficker containment tools prepared by Felix Leder and Tillmann Werner of the Honeynet Project and available for free download at the Website of the University of Bonn.

The tools include a utility for calculating the list of domains that Conficker generates for fetching further code and instructions from its controllers; a memory disinfector that terminates running Conficker processes on an infected system; and a utility for calculating the file names and registry keys under which Conficker hides itself on a particular system.

Also available is a simple Python-based network scanner capable of detecting Conficker machines on a network. The scanner accepts as input either a range of IP addresses or a text file of addresses to scan, and returns a status of "clean," infected" or "blocked" for systems it manages to reach on the network.

Interestingly, the tool set also includes a Conficker vaccination tool that runs as a service on Windows systems and, if contacted by the worm, reports its status as up-to-date. This tool, while perhaps not appropriate for production use, is certainly an interesting take on approaching the Conficker conflict.

As Editor in Chief of eWEEK Labs, Jason Brooks manages the Labs team and is responsible for eWEEK's print edition. Brooks joined eWEEK in 1999, and has covered wireless networking, office productivity suites, mobile devices, Windows, virtualization, and desktops and notebooks. JasonÔÇÖs coverage is currently focused on Linux and Unix operating systems, open-source software and licensing, cloud computing and Software as a Service. Follow Jason on Twitter at jasonbrooks, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel