Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines which is easy to detect using a variety of off-the-shelf network scanners. The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm.
As of March 30, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap, McAfee’s Foundstone Enterprise, and Nessus, made by Tenable Network Security. Up to now, there were only two ways to detect Conficker, and neither was easy. One was to monitor outbound connections for each computer on a network, an effort that had already proved difficult for organizations with machines that count into the hundreds of thousands or millions. With the advent of the Conficker C variant, traffic monitoring became a fruitless endeavor because the malware has been programmed to remain dormant until April 1. The only other method for identifying Conficker-infected computers was to individually scan each one, another measure that placed onerous requirements on admins. The discovery of Conficker’s tell-tale heart two days before activation may prove to be an ace up the sleeve of the white hat security world.