Tuesday, March 31, 2009

Conficker Roundup

The Conficker worm is the current information security hot topic, with tomorrow's activation date looming and lots of press hype. Here are some of the best resources out there for those who have to either fight Conficker, or the hype around it.

  • The ISC has an excellent roundup.
  • Microsoft's technical page on Conficker and their home user page.
  • F-Secure provides Conficker information in a nice Q&A format.
  • Brian Acohido has a timeline of Conficker's verisons
  • SRI's technical analysis is great if you want deeper technical view of Conficker.C.
  • SecureWorks notes that the April 1st date that the media has hyped isn't as significant as other writers might have you believe, "The only thing that will happen with Conficker on April 1st is that already-infected systems will begin to use a new algorithm to locate potential update servers." The article is well written to help explain why April 1st should not be a panic date.
  • The Honeynet Project has released their paper titled Know Your Enemy: Containing Conficker, as well as a detection tool called Downatool2.
  • The Conficker Working Group wiki (edit: currently not available)
  • The Malware Protection Center provides detail as well: Information about Worm: Win32/Conficker.D and an Update on Conficker.D. Conficker.D has a better domain generation algorithm, and thus will attempt to download from 500 of 50,000 servers, rather than the much more limited earlier versions.
  • The major AV vendors each have a writeup: McAfee, Symantec, Sophos, and others are all on board.
3rd Party Reporting and Monitoring

Various third parties are monitoring for Conficker and will allow you to sign up to receive data about your network using your ASN or IP range. A full list will be available shortly.

Conficker Cleanup and Removal
  • F-Secure provides a free tool called Easy Clean
  • SecureWorks has removal instructions using F-Secure or Microsoft's Malicious Software Removal Tool.
  • McAfee's Stinger now has Conficker support
  • McAfee and AVG users are advised to run an on demand scans.

No comments: