Posted by: Troy Tate
anti-virus, antivirus, Conficker, detection, diagnostic tools, honeynet, ms08-067, patches, scanning, vulnerability, vulnerability scanning
A Simple Conficker Scanner (SCS) tool has been released by members of the Honeynet Project. This tool can be run under linux or Windows. It runs a specially crafted RPC query against a host or range of IP addresses. The tool will tell if systems are clean or potentially infected. I am running this tool against hosts on my network and I found a Windows 2000 server apparently infected by Conficker. I am in the process of clean-up on that host. It looks like a couple of things contributed to the infection on this computer:
1. Out of date anti-virus. The antivirus signatures had not been updated since January 2008.
2. Microsoft patches not applied.
Folks, the advice about maintaining up-to-date AV and applying patches is good advice. Heed the warnings and save yourself some troubles of clean-up. I will be having a discussion with my operations team about this situation and make it clear that we should have been prepared for this and this situation should not have arisen.
I am also following the advice from McAfee on Combating the Conficker worm
For more details on how the Conficker worm actually works, follow the links in my blog
Thanks for reading. Let’s continue to be good network citizens.