March 30th, 2009
Enterprises thrown a lifeline as Conficker worm looms
There has been a big break in the Conficker worm that threatens to activate and cause a lot of havoc on April 1: German researchers at the Honeynet Project have been able to fingerprint the malware on infected networks.
Just days ahead of an April 1st activation date for the Conficker worm squirming through the Windows operating system, security researchers at the Honeynet Project have scored a major breakthrough, finding a way to fingerprint the malware on infected networks.
With the help of Dan Kaminsky and Rich Mogull, off-the-shelf network scanning vendors have the ability remotely (and anonymously) detect Conficker infections.
So what does that mean in English? Anyone with a network scanner, which trolls infrastructure for oddities, has two days to find the Conficker worm and mitigate it. And what entities are most likely to have network scanners? Enterprises. The Honeynet Project has released a proof of concept scanner and enterprise scanners from the likes of Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys will follow. There’s also the Nmap freebie.
This fingerprinting advance for Conficker is a big deal because the worm’s first move is to turn off antivirus defenses. But since enterprises have network scanners as an additional layer of defense the Conficker damage should be limited.
Unfortunately, consumers that rely solely on antivirus software, which is turned off when the worm activates, may still be screwed.
Conficker has garnered a lot of attention in recent days (tech media has never found a killer worm it didn’t like). Conficker has become such a sensation that even 60 Minutes chimed in.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
For daily updates, follow Larry on Twitter.
Subscribe to Between the Lines via Email alerts or RSS.
