Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 30 March 2009

Catching Conficker - a New Development

I can already hear a chorus of "Not ANOTHER Conficker blog?", but some of you will want to know about this development.

The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks.

Furthermore, the tool is currently being integrated into mainstream vulnerability scanners like nmap, nessus, and products from ncircle, Qualys and Foundstone. It detects all current variants of Conficker by flagging changes they make to NetpwPathCanonicalize(). No doubt Conficker’s authors are already working on this loophole, but in the meantime, the new routines should seriously mitigate the worm’s impact on corporate networks.

Kudos to Honeynet’s Tillmann Werner and Felix Leder, whose forthcoming "Know your enemy" paper will give a lot more information on the worm and on the new tool, and to Dan Kaminsky, Rich Mogull, and the Conficker Working Group for all their work on this.

No comments: