Heh, this is Dan Kaminsky, from the story. Just to make something very clear:

Tillmann Werner and Felix Leder are the Honeynet Project researchers who actually noticed the behavioral shift introduced by Conficker. I've been doing work in fingerprinting lately, so I saw the opportunity to make it quite a bit easier to track down infected nodes in large organizations, but again, it was Tillmann and Felix who actually designed the fingerprinting logic that ultimately all these other organizations are integrating into their vulnerability scanning systems.

This is one small part of what's actually some very fine research about Conficker. This is their baby, I've just been helping it fly.

Does this mean ISPs will now be able to scan for customer's infected PCs and block them from their networks?

The (L)users who did not pay attention to their security should face be made to realise that they have a responsibility to themselves and other internet users to secure their systems. Either that or swap to an OS that isn't riddled with security holes.

All jolly fine for security researchers, but what are Microsoft Windows people supposed to do with a couple of Python files and a text file containing a few IP addresses (and no CR/LFs)?

Ummmm.. very clever. Now make a tool that admins can actually use.

I'm just gonna have to learn Python in the next few hours I guess.

You just prevented a mass exodus away from Redmond

Wait.......... !!

Um. Why can't they infect a PC, and change the system clock?

So let's see, millions of home PCs infected with conficker that have windows update and antivirus disabled by it.

They're not going to be disinfected within 2 days are they?

It's all well and good but if the machine is closed on port 445 then it's not gonna find a thing.

Please get rid of the penguin and "good Jobs" logos. Then perhaps we would get less posters thinking obscurity = security.

PH, because some people have as much of an idea as her.

Hah, come on, how hard is it to install python on your windows box?

http://www.python.org/download/windows/

Can someone explain why your antivirus software wouldn't pick up which machine have Conflicker? Most entreprise a/v products already report back to a central server on your LAN anyway.

This reads like another of Dan Goodin's bi-weekly "My mate Dan Kaminsky told me he did this ..." stories.

Do we not get a quote from Graham from Sophos too?

Because all that would tell them is that it's going to contact a server and await instructions, which believe it or not the clever people already know.

It's the content of those instructions which isn't known, and won't be known until they're issued, which won't be until the deadline.

It's like saying "I wonder what the weather will be like in two months time... I'll just wind my PC clock forwards and look at the weather reports for 'today'" - it just doesn't work.

Run "Path=c:\python26" from command line, then follow commands above to resolve an error about Impacket directory not existing when running python.exe from the \python26 directory and referencing the full path where Impacket was extracted.

well, back to the drawing board I guess.

Confliker is much better at this game than you guys. It checks a whole bunch of websites to confirm the time, it doesn't rely on the system clock. As for AV detection, it disables AV.

..with USB sticks, hung from their own petard, floating down the Moskva River on Wednesday. Aprillia!! (April Fool) Or, Апрель Идиот - more appropriate.

Cunch of Bunts. Give the b'stards some Vogon poetry to write. Death's too good for them.

Tombstone, natch

@AC:

" Make that a couple of Python files that don't even compile... "

That would be because Python is a scripting language and is interpreted at run-time, no?

So where's the one-click .EXE file for Windows users to at least tell them they have a problem or not, even if it doesn't remove the contamination itself ?

It's all well and good saying "It's not hard to download Python", but I'm sure it's equally, "Not hard to have effective security in place to stop such infections", but let's not forget it isn't just corporates having problems who (hopefully) employ competant sysadmins ... so let's put that nonsense to one side and get on with dealing with the problem before the clock runs out.

I llooked at the nmap site but couldn't see anything in the changelog which says what version I should be using, I don't care which paid for softwre will include detection, I want something I can download, run and breath a sigh of relief orknow which WAN cables to take the scissors to.

Full marks for the industry "responding", but so far it seems to be near zero marks in providing tools your average user can actually use ...

Unless someone knows differently ?

works on my machine.

It's been here for ages: http://www.bdtools.net/

How shit is an A/v product if a network distributed virus can disable it?

Conficker doesn't rely on just the system clock. It gets updates from main stream websites as well for the time and date

but i get an error and I'd quite like to get this running.

c:\python30\python.exe scs.py 10.226.40.40 10.226.40.254

gives invalid syntax error.

would one of the python genii on here mind telling a noob what they're doing wrong?

cheers

PH cos i have as much idea about Python as her.

There is no evidence that the authors of the worm are Russian. There is *some* evidence that they *might* be Ukrainian - but it's pretty slim; I wouldn't rely on it. Basically, we don't know who these guys are. But - patience. We'll find out.

I was so looking forward to Wednesday

Hey what's the agenda for the Fools Day in your city?

Or, most probably, 2 days before the next Conficker C insignificant update. The other variants (e.g. the B variant, you know, the most widespread one) call home constantly already, and we're not dead yet.

""We have no idea what Conficker is going to do on April 1," Kaminsky said."

Well Mr Kaminsky might not know, but I think I have a pretty good idea. Nothing is gonna happen. Nothing noticeable at least.

El Reg is beginning to look a lot like the Daily Mail.

So what's Alison Krauss *really* like?

Just found 9 machines on a network I partly look after. I'm guessing there are probably lots more that are either turned off or still have working firewalls.

Many thanks to the authors!

No resp.: ***.***.***.***.445/tcp.

Is what I get on 98% of my machines that I scanned, is this correct or am I doing something wrong?

"...seems to be clean."

Is what I'm getting on a few of them, but not many...

What message do you get if it finds an infection?