Conficker: What Now?
Email
Print
What Now?
Beyond the RPC vulnerability that got Conficker cooking, later variants of
the worm added the capability to propagate through network shares and over
infected USB memory sticks by taking
advantage of Windows' Autorun functionality. Also, once Conficker has
successfully rooted itself on a machine in your network, the malware will
attempt to spread to other machines on the network by launching a
dictionary-based attack to guess log-ins and passwords.
As a result, even assuming that you've long ago applied the Microsoft
patches to block the Windows service vulnerability, it's important to keep
watch for Conficker on your network.
Most security suites are prepared to detect and remove instances of the
worm, but it's also worth checking out the set of six Conficker
containment tools prepared by Felix Leder and Tillmann Werner of the
Honeynet Project and available for free download at the Website of the University
of Bonn.
The tools include a utility for calculating the list of domains that
Conficker generates for fetching further code and instructions from its
controllers; a memory disinfector that terminates running Conficker processes
on an infected system; and a utility for calculating the file names and
registry keys under which Conficker hides itself on a particular system.
Also available is a simple Python-based network scanner capable of detecting
Conficker machines on a network. The scanner accepts as input either a range of
IP addresses or a text file of addresses to scan, and returns a status of
"clean," infected" or "blocked" for systems it manages to reach on the network.
Interestingly, the tool set also includes a Conficker vaccination tool that
runs as a service on Windows systems and, if contacted by the worm, reports its
status as up-to-date. This tool, while perhaps not appropriate for production
use, is certainly an interesting take on approaching the Conficker conflict.
