Conficker detection and containment tools
Just in time for the April 1 timebomb, the HoneyNet Project and other researchers have released tools for detecting the major conficker variants, preventing infection, and preventing them from phoning home for payloads.
From Containing Conficker: tools and info you can download:
- Lists and generators for domain names that Downadup/ConfickerA, B, and C try to contact to download payloads.
- A memory “disinfector” that terminates Conficker threads without touching the process it runs in.
- File and registry scanner to check for Conficker B and C DLLs
- A “vaxination DLL” to make conficker A, B and C think the machine is already infected.
- A python-based network scanner to identify infected machines
- SNORT intrusion detection patterns for Conficker A and B
Very nice work.
Apparently updates for Nessus and other major vulnerability scanners are out, as is a plugin for nmap.
See also Dan Kaminsky’s blog and the Conficker Working Group.
Update: Tools and whitepaper have been released:
- Conficker detection script for NMap
- Nessus plugin 36036: Conficker Detection – Network check
- Honeynet paper Know Your Enemy: Containing Conficker
Related posts: