Tuesday, March 31, 2009

Conficker

Conficker is possibly the most fearsome worm of all time. Its capabilities has researchers, the industry and security practitioners worried. It infects via infected portable drives, exploiting unpatched Windows systems or by brute forcing weak passwords. The C variant is awaiting instructions from its author(s) tomorrow... 1st April 2009 aka "April Fool's Day". No joke!!!
Academic research paper and proof-of-concept detection tools here.
Nmap v4.85 Beta 5 supports Conficker detection as well.
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
Nessus has a new plugin to detect Conficker too.
Folks... you've been warned before. Disable Autorun, patch your OSs and use strong passwords.
Update: Conficker blocks access to security websites. Here is a simple test to verify if your system might have been infected.

2 comments:

Figo said...

scary!

nephos said...

It was only a matter of time. I've preached about the loopholes for years.