Conficker is basically a gigantic pain in the ass that has exited hibernation to the annoyance of administrators everywhere. The latest variant, Conficker.C, has been viewed as a particularly genius step in an altogether brilliant case study in worm authoring. Capable of evading heuristic detection, IPS filters, blocking AV applications, preventing access to Windows Update and just generally being an asshole to a whole host of solutions, it was believed that tagging and evicting Conficker would be an arduous task.
Enter the breakthrough: Researchers have discovered a misstep in Conficker.C’s design that makes it detectable with the traditional network tool known as nmap. Originally designed as a security tool, nmap is capable of scanning and listing network devices, parameters and services. Unfortunately for Conficker’s author(s), Conficker.C happens to be just such a service that nmap can detect with this string:
nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]
The discovery comes just in the nick of time, as this is the auspicious day in which the newest variant emerges from its beauty sleep to do whatever bogus things it was designed to do.
Companies like McAfee have been quick to piggyback on the discovery by releasing detection tools that sniff for the presence of the worm in a convenient GUI. As the Conficker.C worm prevents access to a whole host of security sites — including all the vendors currently offering a tool — we’ve done you a favor and attached a detection tool to our little update here.
Happy April Fools day.
Download: McAfee Conficker Test
Articles RSS