Taming Conficker, the Easy Way

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

The problem...

[EddyPearson]

1. Conficker updates

2. Security researchers scrabble to understand latest Conficker code.

3. Success!

4. Researchers release the info, in detail.

5. Researchers warm themselves in the radiant heat of their own brilliance. Community applauds.

5. Conficker authors read this publically available infomation, learn from their mistakes and fix the problems.

6. Go to 1.

And this circlejerk of will continue until the researchers involved learn put their egos aside and actually do something useful with the information.

Re:i find it so hard

[An+ominous+Cow+art]

There is no such thing as overkill, if it results in one fewer SUV on the road.

Re:So...

[iago-vL]

Glad to hear it! When I wrote the ms08-067 script, I was surprised to see it posted around the Internet -- I wrote it as a demo of what Nmap can do, not as a production-grade scanner, and I guess it ended up being more useful than the other scripts that I've put *far* more work into :)