Using Conficker's Tricks To Root Out Infections

iago-vL writes "Despite having their domain blacklisted by Conficker, the folks at Nmap have released version 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer-to-peer network! By sending encrypted messages to a suspect host, the tools will get Conficker.C and higher to reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last method that we discussed. More information from the author is available, as well as a download for the new release (or, if you're a Conficker refugee, try a mirror instead)."

Am I the only one...

[Bicx]

that thinks Conficker is actually really cool? I mean, damage aside, it's pretty darn impressive.

Re:Am I the only one...

[myxiplx]

Yup, damned impressive worm, if you read some of the detailed writeups it really highlights just how professional these things are now.

It's doing us the world of good here - we've got pretty good security already, and getting budget for the next set of steps I want to take should be a whole lot easier now. All I'm having to do is point out just how widely Conficker spread, show some of the big names it hit, and then point out just how long it took them to clean their networks after the fact.

All of a sudden a few pounds spent protecting the network look like a good idea :)

Protocol

[s1lverl0rd]

What if Conficker D changes its 'protocol' and marks every computer that sends an 'old message' as either a host that needs updating or a nmapping attacker/next victim?

Or...

Easiest way to detect if you're infected: see if you can reach nmap.org

Nmap?

[xtracto]

Isn't the guy who created nmap active on slashdot? (fyodor or something like that?)