Fatma Bazargan’s blog


More on Conficker
March 30, 2009, 8:33 pm
Filed under: Security
How to detect and contain Conficker!

How to detect and contain Conficker!

 

So quick news about the Conficker, Honeynet Project members Tillmann Werner and Felix Leder have developed a new scanning tool for detecting Conficker and the Know Your Enemy writeup that would describe and explain on how to contain Conficker will be out shortly. The tool is now publicly available and is in the process to be integrated in major vulnerability scanning tools such as Tenable (Nessus), nCircle, Qualys, NMAP among others.

 

Doxpara, Dan Kaminsky has also packaged the tool by Werner and Feder in a scanner via py2exe that you can run to scan an IP range and it would detect any machine from the list that has been infected by Conficker.

 

Word to Spread: Ensure that your computers are patched with the latest Microsoft Patches through Windows Update and that your anti-virus engines have the latest updates.

 

Don’t forget to run the tools to detect Conficker infection.

 

UPDATE:

HERE is a video about the Conficker (GREAT LISTEN): http://www.sophos.com/blogs/gc/g/2009/03/31/video-conficker-april-1st-fuss/ 

Qualys also have something to say about Conficker: http://laws.qualys.com/lawsblog/2009/03/taming-of-the-shrew-aka-confic.html 

UPDATE 2:

The Know your Enemy Paper explain how to detect, contain and remove Conficker:  http://www.honeynet.org/papers/conficker

If you are going to use NMAP then check DAN’s post http://www.doxpara.com/?p=1294

Update 3:

 Symptoms of being infected:

  • When you find yourself not able to access the anti-virus websites or security related websites.
  • When you find your account locked out in the directory
  • When you find an autorun.inf files in the recycled directory
  • When you notice deny access to admin shares
  • When you notice malicious traffic sent through port 445

 SANS have set up a diary for updates on conficker at: http://isc.sans.org/diary.html?storyid=5860

 

Final word for today: even if you get infected and go looking for a removal tool for conficker, make sure you download a removal tool from a vendor that you always deal with or at least are sure of and heard of. The last thing you would ask for is downloading a bogus conficker removal tool that has been set up by cyber criminals!

 

(WATCH OUT THIS ENTRY, I’ll keep updating it with Conficker Info)

 

Happy Conficker’ing Day!

Fatma Bazargan

Advertisements

2 Comments so far
Leave a comment

That is a really Interesting information ,Great job Fatima.. keep it up..

Comment by Laila

Thanks Laila.

Comment by Bazargan




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: