Qualys Blog

www.qualys.com
wkandek

More from the Trenches on Developing the Remote Check for Conficker

Here is a bit more information and links on how the detection was implemented and QA’ed at Qualys and other vendors.

  • laws.qualys.com – all true but skimps over details as to the team involved from Qualys' side – on Sunday we had 5 people involved until midnight when automatic regression started. On Monday (largely QA at that time), at least at team of 10, reaching out to their individual contacts in the industry to gather as many Conficker samples (A,B,C, D and some other weird ones…) as possible. QA was crucial here as we did not want a false positive, i.e. Qualys ID 1227 fires on hosts that are healthy. We knew that we were OK after the analysis of the nightly regression run (against 100s of machines) showed that we had no unexpected Confickers in our test network. More details here on how to setup a QualysGuard scan for Conficker.
  • www.doxpara.com – Dan Kaminsky’s blog – the reference, so to speak. It was Dan who pinged Rich Mogull ( www.securosis.com) to start working on alerting all vendors to the existence of the remote detection (look at Rich’s blog to see that the German researchers have worked for month on determining the behavioral differences between MS08-067 patched and Conficker patched….). He orchestrated the diffusion of the information and coordinated also the first press release on early Monday, where he pointed out that a public, open source tool exists (the python script by Felix and Tillman in Germany) and that well-known scanner vendors will follow up during the day. Dan also posted on Slashdot the same information, but there is very little updated info in the post – as so often in Slashdot the discussion wanders.
  • http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ – this is the site of the German researchers on Conficker – has the link to their paper on the subject, to their scanner and other very useful research tools, including a "vaxcination" which puts an empty dll plus registry entries that fake the real virus into thinking that it its already on the machine.
  • NMAP has some information on their nmap development list the posts at the end give some insight into their rollout process, at some point on Monday code was in their development repository and people could download that, patch the BETA4 release and scan, later Monday 1 PM, they released the BETA5 and declared that the recommended scanner to use…see their release announcement here.
  • nCircle had their announcement linked on Dan’s page – www.doxpara.com here and here. nCircle’s Twitter post indicates they released around 3 PM on Monday.
  • Tenable published their plug-in for Conficker detection yesterday as well.

Let me know what you see and hear out there – Qualys will monitor statistics for our detections in the next couple of days and once we have relevant data will update you. We are especially interested what the impact will be on patching activity for the MS08-067 vulnerability.

Leave a Reply