detecing conficker infections over the network

Dan Kaminsky released some information this morning that it is possible to remotely (and anonymously) detect if Conficker has owned a system. He does link to a POC scanner (python). This is the result of some work by Tillmann Werner and Felix Leder of the Honeynet Project. Looking forward to the paper!

Update: Here is more information about Conficker compiled by the handler’s at the SANS diary. I haven’t personally paid much attention to Conficker recently, mostly because we appear to be fully patched on known, managed systems where I work, so it has been a non-issue since Microsoft released them (MS08-067). That and it was pretty obvious the issue at hand was wormable and would be important.

One thought on “detecing conficker infections over the network

  1. For corporate domains, scanning for Registry artifacts would be very useful. I wrote regscan.pl and provided it (and an EXE version) in the Download section of RegRipper.net for this purpose.
    I guess you could get into a debate as to whether or not a system is “infected” if the persistence mechanism isn’t set…but using the right tools, you’ve got a free, enterprise-wide solution.

Comments are closed.