Conficker Detection
The Internet did not break down yesterday due to Conficker, it seems like the topic was hyped a bit too much by the media.
In case you want to quickly check whether or not your machine is infected with the worm, you can use a simple check developed by Joe Stewart from SecureWorks. Simply go to http://honeyblog.org/junkyard/conficker/ and check which images your browser shows:
Furthermore, the Honeynet Project recently released a paper entitled "Know Your Enemy: Containing Conficker" which presents in detail several methods to detect the worm based on network characteristics,
Abstract:
The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code.
In case you want to quickly check whether or not your machine is infected with the worm, you can use a simple check developed by Joe Stewart from SecureWorks. Simply go to http://honeyblog.org/junkyard/conficker/ and check which images your browser shows:
Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.
If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).
If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.
Furthermore, the Honeynet Project recently released a paper entitled "Know Your Enemy: Containing Conficker" which presents in detail several methods to detect the worm based on network characteristics,
Abstract:
The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code.
Keeping the tradition of the blog up... just a short write-up this week. Lots of other dings to do. Nevertheless I had some fun with the recent top security news.
Tracked: Apr 26, 17:29