Conficker: What Now?
What Now? Beyond the RPC vulnerability that got Conficker cooking, later variants of the worm added the capability to propagate through network shares and over infected USB memory sticks by taking advantage of Windows' Autorun functionality. Also, once Conficker has successfully rooted itself on a machine in your network, the malware will attempt to spread to other machines on the network by launching a dictionary-based attack to guess log-ins and passwords.As a result, even assuming that you've long ago applied the Microsoft patches to block the Windows service vulnerability, it's important to keep watch for Conficker on your network.Most security suites are prepared to detect and remove instances of the worm, but it's also worth checking out the set of six Conficker containment tools prepared by Felix Leder and Tillmann Werner of the Honeynet Project and available for free download at the Website of the University of Bonn. The tools include a utility for calculating the list of domains that Conficker generates for fetching further code and instructions from its controllers; a memory disinfector that terminates running Conficker processes on an infected system; and a utility for calculating the file names and registry keys under which Conficker hides itself on a particular system. Also available is a simple Python-based network scanner capable of detecting Conficker machines on a network. The scanner accepts as input either a range of IP addresses or a text file of addresses to scan, and returns a status of "clean," infected" or "blocked" for systems it manages to reach on the network. Interestingly, the tool set also includes a Conficker vaccination tool that runs as a service on Windows systems and, if contacted by the worm, reports its status as up-to-date. This tool, while perhaps not appropriate for production use, is certainly an interesting take on approaching the Conficker conflict.