Our "Know Your Enemy: Containing Conficker" whitepaper was released on March 30th as a PDF only. You can download the full paper from the link below.
The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code.
In addition, as a result of this paper and the hard work of Dan Kaminsky, most vulnerability scanning tools (including Nmap) should now have a plugin or signatures that allow you to remotely detect infected Conficker systems on your networks. Finally, we would like to recognize and thank the tremendous help and input of the Conficker Working Group.
Paper last updated April 7th 2009, 16:44 GMT (rev2)
PDF MD5sum = 135ba75c33534327eb2800e98c8077e8 (KYE-Conficker.pdf Rev1)
PDF MD5sum = a6cc751ff9e8c435518c8f46e791d906 (KYE-Conficker.pdf Rev2)