The Confiker Virus.
alex.wilkinson at dsto.defence.gov.au
Tue Mar 31 08:33:41 CDT 2009
0n Tue, Mar 31, 2009 at 09:22:32AM -0400, Steven M. Bellovin wrote:
Honeynet Project has released Know Your Enemy: Containing Conficker:
Our "Know Your Enemy: Containing Conficker" whitepaper was released on March
30th as a PDF only. You can download the full paper from the link below.
The Conficker worm has infected several million computers since it first started
spreading in late 2008 but attempts to mitigate Conficker have not yet proved
very successful. In this paper we present several potential methods to contain
Conficker. The approaches presented take advantage of the way Conficker patches
infected systems, which can be used to remotely detect a compromised system.
Furthermore, we demonstrate various methods to detect and remove Conficker
locally and a potential vaccination tool is presented. Finally, the domainname
generation mechanism for all three Conficker variants is discussed in detail and
an overview of the potential for upcoming domain collisions in version .C is
provided. Tools for all the ideas presented here are freely available for
download including source code.
In addition, as a result of this paper and the hard work of Dan Kaminsky, most
vulnerability scanning tools (including Nmap) should now have a plugin or
signatures that allow you to remotely detect infected Conficker systems on your
networks. Finally, we would like to recognize and thank the tremendous help and
input of the Conficker Working Group.
Paper last updated March 30th 2009, 23:00 GMT (rev1)
IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
More information about the NANOG