In association with heise online

30 March 2009, 17:09

German researchers develop network scan for Conficker worm

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Felix Leder and Tillmann Werner from the University of Bonn have analysed the Conficker worm and discovered that it changes the way Windows responds to certain system calls. This can be exploited to allow the remote detection of Conficker infected systems.

Specifically, a scanner can call the NetpwPathCanonicalize() function – which contains the vulnerability through which Conficker spreads – remotely. When present Conficker intercepts and deals with these calls and the response to this call is, in certain cases, modified. For the test to succeed on a Windows system, TCP port 445 must be accessible. This port is not normally (and indeed shouldn't be) accessible from the web.

The worm reveals itself
Zoom The worm reveals itself by its response to the NetpwPathCanonicalize function.

Leder and Werner have written such a scanner as a feasibility demonstration. In collaboration with Dan Kaminsky, they have forwarded this information to the Conficker Working Group and other security experts, so that third party scanners offering this functionality are likely to be available soon, with Kaminsky announcing extensions for nmap, Tenable (Nessus), McAfee/Foundstone, ncircle and Qualys.

Company administrators are well advised to scan their networks for infected systems before 1st April – the date on which Conficker.C will begin to download updates from the internet. What the effect of these updates will be remains completely unknown. Many anti-virus software vendors are offering specific programs for removing Conficker. However, the safest option on an infected system is to reinstall the operating system and then copy over your backup data.

On the research project, see also:

On the Conficker-Worm see also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit