I can already hear a chorus of "Not ANOTHER Conficker blog?", but some of you will want to know about this development.
The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks.
Furthermore, the tool is currently being integrated into mainstream vulnerability scanners like nmap, nessus, and products from ncircle, Qualys and Foundstone. It detects all current variants of Conficker by flagging changes they make to NetpwPathCanonicalize(). No doubt Conficker’s authors are already working on this loophole, but in the meantime, the new routines should seriously mitigate the worm’s impact on corporate networks.
Kudos to Honeynet’s Tillmann Werner and Felix Leder, whose forthcoming "Know your enemy" paper will give a lot more information on the worm and on the new tool, and to Dan Kaminsky, Rich Mogull, and the Conficker Working Group for all their work on this.
For those who just have one or two machines to check, we still have a free removal tool, and as James Coulter pointed out to us, so does Sophos. In fact, so do Bitdefender, Microsoft, Kaspersky and Symantec, among others, and none of us are charging for such tools. I would stress, though, that we’re making these tools available for emergency use by people who don’t have up-to-date anti-malware on their systems right now and can’t easily get to it because the worm is in memory and won’t let them. (If you can’t get to a removal tool like ours either, our suggestion is to find someone with a clean machine to download it for you and transfer it by (preferably write-protected!) removable media. I certainly wouldn’t recommend that you rely on one-shot tools like this as your primary defence against malware in general!
Incidentally, I happened upon the Wikipedia entry for Conficker a little while ago, which mentions several of these tools, and also mentions a couple of vendors who "can remove it with an on-demand scan." Don’t get confused by this: any mainstream product worth having should be able to detect and remove current Conficker variants by now. It doesn’t mean that products with a one-shot removal tool can’t detect or remove it with their for-fee products.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence