Conficker researchers make major breakthrough
Security researchers have discovered a simple way of hunting down machines which have been infected by the Conficker virus. It’s not a cure but may speed up the process of isolating such machines which is all the more urgent given an April 1 deadline for Conficker’s next actions.
The breakthrough helps overcome the problem of the way the latest edition of Conficker installs a bogus security patch which appears to be from Microsoft. Not only does this block Microsoft’s attempts to use a legitimate patch to remove the virus, but it makes it much more difficult to spot the unpatched – and thus likely to be infected – machines.
Given that it’s difficult to monitor for network activity as, for most of the time the virus is relatively dormant, it seemed the only way to track down infected machines was to scan them in their entirety, one by one. That’s proven difficult if not impossible for many large networks.
However, a team of volunteer researchers known as the Honeynet Project say they’ve discovered that the virus creates a clue that makes it much easier to spot. Conficker makes small changes to the way Windows behaves in pre-authentication routines: that is, what the computer does before users log-in.
With this knowledge it’s now considerably easier to scan networks as researchers know exactly what part of the machine’s filesystem to look at. The Honeynet team have created free scanning tools for network administrators which can be downloaded from http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/.
The discovery is fortunately-timed as there are just two days until infected machines begin receiving instructions from a list of 50,000 random domains rather than the current 250.
However, Honeynet’s Dan Kaminsky has warned amateur enthusiasts against using the discovery to try to create a ‘counterworm’ to spread removal tools across the network of infected machines. He says such an attempt might wind up causing even more damage than Conficker itself.
This concern may limit the amount of detail Honeynet includes in a briefing paper on its discovery which it intends to publish later this week.
Related Posts:
