Conficker Detection Breakthrough From Germany

Dennis Faas's picture

German security researchers at the Honeynet Project have scored a major breakthrough in studying the behavior of the Conficker/Downadup worm. According to reports, there now may be a way to detect the malware on infected networks.

Security researchers, with the help of Dan Kaminsky and Rich Mogull, have the ability to remotely and anonymously detect Conficker infections.

Kaminsky explained that since the Conficker/Downadup malware changes the way Windows looks on a network, it is possible to scan a network and have it "respond" whether or not it is or is not infected with Conficker.

Malware Tries to Patch its own Exploited Flaw

Tillmann Werner and Felix Leder, two German researchers from the Honeynet Project, figured out that the malware tries to patch the same security flaw (MS08-067) that it previously exploited. The binary patch NetpwPathCanonicalize() -- used by the Conficker/Downadup worm -- works quite a bit differently, meaning that network scanners are able to pinpoint the existence of the malware. (Source:

The Honeynet Project released a proof of concept scanner that contains tools and information on containing the Conficker/Downadup worm. (Source:

Enterprise-class scanners from Tenable, McAfee, Nmap, Ncircle and Qualys are also available.

Don't Fear The Reaper, or April 1st

On April 1st, the Conficker/Downadup malware is programmed to generate thousands of domain names a day, but that does not mean that the world is going to end or that computers will self-destruct.

As noted by ZDNet, you shouldn't fear the worm's activation date because Conficker can already receive updates; therefore, focusing on the April 1st detonation date is misguided.

Some of the best security researchers in the world are working diligently to mitigate the domain issue. 50,000 domains are being closely monitored, so if any malicious server appears, it will most likely be rendered useless. The author(s) of the malware probably won't do anything on the one day everyone's watching -- in other words, the day they might get caught.

An excellent analysis of what the Conficker/Downadup worm is and isn't can be found from SRI International. (Source:

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet