Wednesday, April 1, 2009

Remote method to test for Conficker Infection

Researchers have found a way to detect remotely whether a system is infected with the Conficker worm. The new technique involves remotely calling theNetpwPathCanonicalize() function. This was discovered by two German researchers Felix Leder and Tillmann Werner from the University of Bonn.

Nmap and Nessus have also "updated" with this technique to detect infected systems.

The above method is good if you need to test a large number of systems remotely. For a quick and easy way, you can just try to access sites like symantec.com or sans.org on the infected systems. Conficker will block access to these sites (and a list of other sites).

The research details can be found from the this Link - http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Updated on 07 April 09
The Conficker Working Group had setup a "Conficker Eye Chart" website to show people what their browser will look like if they have been infected. You can visit this website to check if your system is infected.

Conficker Eye Chart Website

For more info on Conficker virus, visit W01f's Labs

Posted by w01f at 10:30 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)