Technology Review - Published By MIT
Technology Review  in English | en Español | auf Deutsch | in Italiano | 中文 | in India
Advertisement

A Plan to Catch the Conficker Worm

A new tool allows entire networks to be scanned efficiently for infection.

By Erica Naone

Monday, March 30, 2009
smaller text tool iconmedium text tool iconlarger text tool icon

On April 1, a computer worm called Conficker, which has already infected millions of machines worldwide, is expected to do something bad, though no one knows exactly what. Some experts fear that an army of infected machines could be ordered to launch a coordinated attack or send out a barrage of spam. But a tool released today could help lessen the impact by allowing big companies and institutions to quickly weed out infected machines by scanning entire networks for signs of infection.

Credit: Technology Review

Analysis of the Conficker worm has previously revealed that infected computers will "phone home" on April 1 to receive a new set of instructions. It is already possible to detect the worm by scanning machines individually, but this is a relatively time-consuming process. It's also possible to detect the bug by watching for outgoing communications sent across a network, but the latest version of Conficker is designed to stay silent until April 1.

Story continues below

Dan Kaminsky, director of penetration testing for the Seattle-based security company IOActive, helped create the new scanning tool and says that it can identify an infected machine by recognizing the way it presents itself to the wider network. This makes it quick and easy to scan for the worm remotely and does not require any special access to machines. "It's like driving through a neighborhood looking for houses with big signs on their doors," Kaminsky says.

The tool was created after Tillmann Werner and Felix Leder, members of an independent research organization called the Honeynet Project, asked Kaminsky to review their research on Conficker. The pair had figured out that the worm changes the way a machine appears on a network. Kaminsky seized on this, suggesting that the researchers create a tool that uses this information to find infected machines. The researchers built such a tool and worked through the weekend to get it ready for broad distribution to suppliers of other security software. "Whatever vulnerability scanner a company is using, it should have support for this by the end of the day," Kaminsky says.

Tags

Internet Internet worms networks security

Related Articles

Comments
  • Will a temporary take-down work?
    Identifying infected hosts and removing them from the network is doable, but it's considered too drastic.  How about taking them off the network only for the period when the worm is scheduled to "phone home"?  Much less drastic, and 100% effective if we know the schedule.  (I assume that "home" will be taken out of commission ASAP.)
    Rate this comment: 12345

    jpdemers
    03/31/2009
    Posts:40
    Avg Rating:
    4/5
  • The Conficker Worm
    I think that the only way to catch this worm is to have it yourself!

    That way you can trace where it's contacting - and that might also explain what the virus will actually do!

    I think that the hackers have realised that if they want to hack a big computer, they need all the inocent pc's they can get. I think that today they have been attempting to control all the infected computers to do something - that way it will be way too strong for (whatever they want hacked) firewall.

    So I think that someone should try actually getting the worm to find out what it's contacting. Im sure that the hackers wont make their ip to obvious, so they'll have used a proxy.

    But even that can be traced carefully!
    Rate this comment: 12345

    mitchell.mus...
    04/01/2009
    Posts:5
    Avg Rating:
    4/5
    • Re: The Conficker Worm
      Protection for your computer.
      Search-and-destroy Antispyware is one of the best options available when you are searching for protection for your computer that you can trust. I know because I have tried many different types of scans in the past and the biggest difference I have found between them is the price. I found the antispyware solution from Search-and-destroy to be a great option that is affordable and easy to use. Visit http://www.Search-and-destroy.com to learn more about this scan and what it can do for you. If you are like me, you will be glad that you took the time to check it out.
      Rate this comment: 12345

      Spider Net
      04/15/2009
      Posts:6
      Avg Rating:
      2/5
  • Keep your computer running like new.
    Have you been searching for a great antispyware to keep your computer running like new? If so, you will be happy to know that there are some great options out there. I have tried many different types of antispyware only to find that the majority of them find the exact same types of bugs. The biggest difference that you will find between all the different types of antispyware offered is the price. Search-and-destroy Antispyware is an excellent choice that can be purchased at a lower price than many of the other options available. If you are interested in discovering the benefits offered from antispyware solution from Search-and-destroy visit http://www.Search-and-destroy.com to learn more.
    Rate this comment: 12345

    Spider Net
    04/15/2009
    Posts:6
    Avg Rating:
    2/5
  • Spam
    Those 2 previous message are clearly Spam, can some admin remove them ?
    Rate this comment: 12345

    Sly
    04/15/2009
    Posts:11
    Avg Rating:
    4/5
    • Re: Spam
      I agree. Can they be removed?
      By the way : Great article!
      Rate this comment: 12345

      mitchell.mus...
      04/19/2009
      Posts:5
      Avg Rating:
      4/5
Reply

Log In

Forgot your password?     Register »
Advertisement

Videos
Latest Videos
Making 3D Maps on the Move

Top Stories Of The Day

Technology Review November/December 2009

Current Issue

Natural Gas Changes the Energy Map
The United States has vast supplies of this cleaner fossil fuel. But how should we use it?
Featured Content
Sponsored by:
White Papers

Twelve ways to reduce costs with SQL Server 2008
Find out how to reduce costs and get more efficient

Download

Total Economic Impact of SQL Server 2008 Upgrade
Forrester reports on increasing productivity and management capabilities

Download 

Achieving Cost and Resource Savings with UC
How Office Communications Server R2 and Exchange Server can make your business smarter and more efficient

Download 

The Compelling Case for Conferencing
Read how you can improve workload support and find IT efficiencies

Download

How Windows Server 2008 R2 Helps Optimize IT and Save you Money
Read how you can improve workload support and find IT efficiencies

Download

Windows Server 2008 R2 Hyper-V Live Migration
See how Windows Server 2008 R2 and Hyper-V enable virtualization and Live Migration

Download

RSS Feeds

xml icon TR Top Stories
xml icon TR Editors' Blog
xml icon TR Video Blog
xml icon TR Video
Advertisement
Subscribe to Technology Review's daily e-mail update. Enter your e-mail address

TECHNOLOGY RESOURCES
Advertisement
MIT Massachusetts Institute of Technology © 2009 Technology Review. All Rights Reserved.