The experts at SRI International, who have been tracking the Conficker worm as closely as anyone, have released the source code to the scanner they wrote to detect the active P2P scanning that Conficker-infected machines perform.
The Conficker worm exhibits a number of interesting characteristics that have helped researchers identify infected machines and help stop the worm’s spread. For example, Conficker-infected machines always open teo TCP ports and two UDP ports in order to listen for traffic from other infected machines. SRI’s scanner works by identifying hosts that have opened up those ports by scanning all of the IP addresses on a given network.
Users can download the source code for free and run the scanner on their own networks to find infected machines. Many of the large commercial network scanning vendors also have released signatures that will identify infected PCs by fingerprinting a patch that the Conficker worm uses to fix the MS08-067 vulnerability it exploits.
Though much of the research and development in the security industry by necessity is driven by vendors, the work done by groups such as SRI and The Honeynet Project (which discovered the patch-fingerprinting method of identification) is invaluable. The need for the work done by these mostly volunteer groups is vital to the continued advancement of the state of the art in security.