Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3869
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Conficker flaw reveals which computers are infected  (Read 5104 times)

0 Members and 2 Guests are viewing this topic.

georgecloner

  • SCF VIP Member
  • *****
  • Posts: 171
  • KARMA: 16
  • Gender: Male
Conficker flaw reveals which computers are infected
« on: 31. March 2009., 16:48:48 »


Even worm creators write buggy software.

Once it infects a computer, the Conficker worm closes the hole in Windows that it used to get onto the system so no other malware can get in. This also makes it difficult for organizations to detect which computers have the legitimate Microsoft patch and which have the fake Conficker patch.

However, Conficker's "patch" has a weakness that can be used to distinguish between patched computers and infected computers that look patched, according to the nonprofit Honeynet Project.

Some of the researchers have released a proof-of-concept scanner that can be used to detect Conficker. The tool is being integrated into the free nMap vulnerability scanner, as well as scanning tools from companies including Qualys, nCircle, and Tenable. The tools are designed for use by network administrators at companies and not consumer users.

"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Qualys' remote-detection Conficker scanner is automatically available to its subscribers and will be available to others soon, said Wolfgang Kandek, Qualys' chief technology officer.

The worm has been around since November, but the most recent variant is programmed to connect to other computers on April 1 and as a result has triggered mass confusion and a media frenzy.

The worm exploits a vulnerability in Windows that Microsoft patched in October, as well as through network shares and removable storage devices like USB drives.

The latest variant shuts down security services, blocks connections to security Web sites, downloads a Trojan, and connects to other infected computers via peer-to-peer technology. It also includes a list of 50,000 different domains to reach out to for updated copies or instructions, but only 500 of those will be contacted on April 1. Earlier versions of the worm attempted to contact 250 domains.

A quick way to tell if your computer is infected is to try to access the Web site of a major antivirus vendor, which the worm blocks.

The U.S. Department of Homeland Security has released a Conficker detection tool for government agencies and state and local governments to use that ws developed by US-CERT.

The OpenDNS security services provider blocks access to the domains listed in the Conficker code. Microsoft has more information on its site, as does Symantec. The

Does that mean the next version will fix the flaw in the code?

{CNET}
Creativity is a mental and social process involving the generation of new ideas or concepts, or new associations of the creative mind between existing ideas or concepts.

Samker's Computer Forum - SCforum.info

Conficker flaw reveals which computers are infected
« on: 31. March 2009., 16:48:48 »

georgecloner

  • SCF VIP Member
  • *****
  • Posts: 171
  • KARMA: 16
  • Gender: Male
Re: Conficker flaw reveals which computers are infected
« Reply #1 on: 31. March 2009., 16:51:53 »
Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.mcafee.com

 :thumbsup:
Creativity is a mental and social process involving the generation of new ideas or concepts, or new associations of the creative mind between existing ideas or concepts.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Conficker flaw reveals which computers are infected
« Reply #2 on: 31. March 2009., 17:57:12 »

Thank you GC, very useful info.  :thumbsup:

haz

  • SCF Advanced Member
  • ***
  • Posts: 117
  • KARMA: 26
  • Gender: Male
Re: Conficker flaw reveals which computers are infected
« Reply #3 on: 01. April 2009., 09:22:17 »
Thanks a lot for the useful info,
Bit defender also offers a tool to check for conficker on a single PC or a Network
 http://www.bdtools.net/
I tried them both, the network tool really saves a lot of time, since the admin can deploy it on all the machines at once and get the results back about every one, firstly I thought that the users wont get anything on their screens, soon after an employee came to me thinking that he was being hacked !  ;D
turned out that the tool does show two command line windows in the screen  :)
The desktop tool is great too.

mashed

  • SCF Member
  • **
  • Posts: 63
  • KARMA: 10
  • Gender: Male
    • Stressed
Re: Conficker flaw reveals which computers are infected
« Reply #4 on: 01. April 2009., 20:16:32 »
thanks haz, my pc's are clean :)

Samker's Computer Forum - SCforum.info

Re: Conficker flaw reveals which computers are infected
« Reply #4 on: 01. April 2009., 20:16:32 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising