As the world prepares for the complete destruction of the Internet tomorrow when the Conficker worm makes a small change in its communication protocol, a voice of reason has emerged from the wilderness. The Honeynet Project on Monday released a paper with a detailed analysis of the worm as well as some weaknesses in its design that allow for identification of infected machines.
As my colleague Ryan Naraine reported yesterday, the Honeynet researchers discovered that Conficker attempts to patch the Windows flaw that it uses to compromise machines. But it does so in a sloppy way that allows researchers to identify infected PCs. In their paper, the Honeynet researchers lay out exactly how to identify and disinfect compromised machines.
“All Conficker variants try to patch the infected systems to prevent re-exploitation. The handler, installed as a function hook, changes the behavior of RPC requests on infected machines. This information can be used to remotely scan for Conficker infections. In addition to actively scanning, machines infected with Conficker.A and .B can be identified using the presented IDS signatures,” they write.
You can read the full Honeynet Project paper here. (.PDF)
