[ISN] Conficker flaw reveals which computers are infected

From: InfoSec News <alerts_at_private>
Date: Tue, 31 Mar 2009 02:07:06 -0600 (CST)
http://news.cnet.com/8301-1009_3-10207375-83.html

By Elinor Mills
Security
CNet News
March 30, 2009

Even worm creators write buggy software.

Once it infects a computer, the Conficker worm closes the hole in 
Windows that it used to get onto the system so no other malware can get 
in. This also makes it difficult for organizations to detect which 
computers have the legitimate Microsoft patch and which have the fake 
Conficker patch.

However, Conficker's "patch" has a weakness that can be used to 
distinguish between patched computers and infected computers that look 
patched, according to the nonprofit Honeynet Project.

Some of the researchers have released a proof-of-concept scanner that 
can be used to detect Conficker. The tool is being integrated into the 
free nMap vulnerability scanner, as well as scanning tools from 
companies including Qualys, nCircle, and Tenable. The tools are designed 
for use by network administrators at companies and not consumer users.

"What we've found is pretty cool: Conficker actually changes what 
Windows looks like on the network, and this change can be detected 
remotely, anonymously, and very, very quickly. You can literally ask a 
server if it's infected with Conficker, and it will tell you," Dan 
Kaminsky, director of penetration testing at IOActive who worked with 
The Honeynet Project, wrote on his blog. "We figured this out on Friday, 
and got code put together for Monday. It's been one heck of a weekend."

[...]


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Tue Mar 31 2009 - 01:07:06 PDT

This archive was generated by hypermail 2.2.0 : Tue Mar 31 2009 - 01:15:47 PDT