Slashdot Mirror

← Back to Stories (view on slashdot.org)

Taming Conficker, the Easy Way

Posted by kdawson on from the scanner-lightly dept.

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

10 of 288 comments (clear)

  1. Re:i find it so hard by Anonymous Coward · · Score: 5, Funny

    Hi, I'm the author of Conficker and the payload is to get a first post on slashdot. Get ready assholes.

  2. Am i doing it wrong? by arndawg · · Score: 5, Funny

    "You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.

    1. Re:Am i doing it wrong? by Anonymous Coward · · Score: 4, Funny

      Use the mouse. It's quaint but it works. A Scottish accent may be helpful as well. ;)

    2. Re:Am i doing it wrong? by Yosho · · Score: 5, Funny

      So how do you use a mouse with a Scottish accent?

      Well, first, you've got to get it drunk...

      --
      Karma: Terrifying (mostly affected by atrocities you've committed)
  3. Re:i find it so hard by morgan_greywolf · · Score: 4, Funny

    Hi, I'm the author of Conficker and the payload is to get a first post on slashdot.

    That's it? You wrote a worm to get a first post on Slashdot? Damn. How lame are you?

    --
    My blog
  4. Potential problem by Shrike82 · · Score: 5, Funny

    We figured this out on Friday, and got code put together for Monday.

    And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.

    --
    You can advertise in this sig from as little as £99.99 a month!
  5. Re:Wow! by cbiltcliffe · · Score: 4, Funny

    If you have even half-assed antivirus in a corporate environment, you'll be able to log into the admin console, and see what machines are infected.
    You can also see when a machine was last in contact with the controller, so if a virus kills the A/V on a machine, it will stop contacting. Anything that's been over a week since contact automatically should be physically investigated.

    Of course, you could be using Norton Internet Security 2009 on your corporate machines, which doesn't have this capability. But if you are, you're an incompetent moron, and shouldn't be trusted with a Gameboy, forget a multi-computer corporate network.

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
  6. Re:-1 Whoosh by L4t3r4lu5 · · Score: 4, Funny

    *Bzzzzzzt!*

    The comment system is temporarily disabled while we resolve this revolving door bug. Apologies for any inconvenience.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  7. Re:Wow! by Pvt_Ryan · · Score: 5, Funny

    I use Antivirus360 on my network, my last scanner was shit, the Antivirus360 free trial found loads of infections my other scanner missed..

  8. Re:i find it so hard by emocomputerjock · · Score: 5, Funny

    All that will be left is a box in Madagascar with it's ports closed.