Conficker caught out at eleventh hour?

 

Gallery

By Stuart Turton

Posted on 31 Mar 2009 at 15:36

Researchers claim to have discovered a method by which networks can quickly and easily detect whether they've been infected by the Conficker worm.

Conficker has so far infected around 15 million machines and is set to launch on 1 April, at which time it's believed it will phone home to download new malware packages and receive instructions.

Up until now, IT managers worried about whether they've been infected have had to scan each machine individually, or monitor servers logs to catch the worm in the process of phoning home.

These methods were rendered even more time consuming and unreliable by the Conficker C variant which was instructed to stay quiet until 1 April, but also installed its own version of the MS08-67 patch that would hide it from scanners.

However, a team of noted researchers including Dan Kaminsky claims to have found a unique signature left behind by Conficker that can be detected by almost any off-the-shelf scanner.

"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly," writes Kaminsky. "You can literally ask a server if it's infected with Conficker, and it will tell you... We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

The researchers will publish a paper outlining the technique in the next 24 hours, but it appears that if network admins move fast enough they need never find out what the worm had planned for 1 April.