 |
 |
Dan Kaminsky <http://www.doxpara.com/> writes "We may not know what the Conficker <http://it.slashdot.org/article.pl?sid=09/01/16/142211&tid=172> authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project <http://www.honeynet.org/> 'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner <http://iv.cs.uni-bonn.de/uploads/media/scs.zip> , and with the help of Securosis <http://securosis.com/> ' Rich Mogull and the multivendor Conficker Working Group <http://www.confickerworkinggroup.org/wiki/> , enterprise-class scanners should already be out from Tenable <http://www.tenablesecurity.com/solutions/> (Nessus), McAfee/Foundstone <http://www.mcafee.com/> , nmap <http://www.nmap.org/> , ncircle <http://www.ncircle.com/> , and Qualys <http://www.qualys.com/> . We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend." Don Bosman Information Technologist Libraries, Michigan State University 100 Library East Lansing, MI 48824-1048 [log in to unmask] (517) 432-6123 ext 233