Third party information on conficker

Published: 2009-02-13
Last Updated: 2009-04-11 18:15:39 UTC
by Andre Ludwig (Version: 9)
4 comment(s)

This diary will be updated as more information becomes public. Updates are highlighted in green. Please use the URL: "http://www.dshield.org/conficker" to link to this page.

In an effort to provide YOU the end-user the ability to educate your self on this threat we will be posting as much information as possible, from as many sources as possible. This may lead to redundancies in the data that is fallible but we are hoping that this will allow you to pick and choose the information, removal tool, and more importantly your own path when mitigating Conficker. Be careful about help and removal tools offered from unknown sources.

Our own diaries to the topic can be found here: http://isc.sans.org/tag.html?tag=conficker

ALWAYS TEST IN A DEVELOPMENT OR TEST ENVIRONMENT BEFORE ROLLING OUT TO PRODUCTION!

 

Removal Instructions

Microsoft: http://support.microsoft.com/kb/962007
Kaspersky: http://support.kaspersky.com/faq/
BitDefender: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp

To be able to access Anti-Virus vendors and SANS, Microsoft and others, from an infected Conficker.C machine, TrendMicro suggests to use "net stop dnscache" from the command line.
Sophos: http://www.sophos.com/support/knowledgebase/article/51416.html

Removal Tools

Microsoft MSRT: http://www.microsoft.com/security/malwareremove/default.mspx
F-Secure: ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
AhnLab: link no longer valid.
Symantec: http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
McAfee: http://vil.nai.com/vil/conficker_stinger/S.T.I.N.G.E.R.exe
ESET: http://download.eset.com/special/EConfickerRemover.exe
BitDefender: http://www.bdtools.net/
Kaspersky: http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip
TrendMicro: http://www.trendmicro.com/download/dcs.asp
Sophos: https://secure.sophos.com/products/free-tools/conficker-removal-tool-network/download (registration required)
Sunbelt: http://www.sunbeltsecurity.com/DownLoads.aspx

Conficker Remote Scanners

nmap nmap 4.85BETA5 now includes Conficker detection http://insecure.org/
nessus http://www.nessus.org/plugins/index.php?view=single&id=36036
McAfee http://www.mcafee.com/us/enterprise/confickertest.html
eEye http://www.eeye.com/html/downloads/other/ConfickerScanner.html

Conficker Working Group Information

Conficker Working Group

http://www.confickerworkinggroup.org

ShadowServer

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090212 (very good explanation of the importance of this group)

Arbor networks http://asert.arbornetworks.com/2009/02/the-conficker-cabal-announced/
ICANN http://www.icann.org/en/announcements/announcement-2-12feb09-en.htm
Symantec https://forums.symantec.com/t5/Malicious-Code/Coalition-Formed-in-Response-to-W32-Downadup/ba-p/388129

General Information

Microsoft End user/Consumer page
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
IT Security/Professional Page
http://technet.microsoft.com/en-us/security/dd452420.aspx
Centralized information about Conficker
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx
SecureWorks http://www.secureworks.com/research/threats/downadup-removal/

Research (technical)

SRI

http://mtc.sri.com/Conficker
Scanner:  http://mtc.sri.com/Conficker/contrib/scanner.html

MNIN Security Blog http://mnin.blogspot.com/2009/01/downatool-for-downadupbconflickerb.html
This is an awesome tool that generates domains, and ips to scan using the reversed algorithms from conficker.
ThreatExpert Blog http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html
CERT.at http://www.cert.at/static/conficker/TR_Conficker_Detection.pdf
Great paper that covers setting up your local DNS server to mitigate/alert on infections.
Sample zonefiles can be downloaded here: http://www.cert.at/english/downloads/downloads.html
CA Writeup dated 3/11/09
Screenshots of April 1st Trigger
Honeynet Project A useful analysis and supporting tools from the Honeynet project can be found at:
https://www.honeynet.org/files/KYE-Conficker.pdf and
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
4 comment(s)

Comments

Love the listing of removal tools, can this be added to the SANS \"Links\" page for common removal tools? And in general, restructure and update the links page with newer and useful tools?

I know asking a lot...
Thanks,
Brian
I plan on posting more info as I come across it, I also am looking at formatting it a bit differently. I am not much of a fan of the current formatting, but given the amount of time involved I wanted to get something out sooner rather then later.
Step by Step In Dealing With and Removing Conficker.

http://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
Additional technical information. It's possible to determine p2p UDP/TCP port pairs.
https://cert.lexsi.com/weblog/index.php/2009/03/31/294-confickerc-de-peer-en-peer

Diary Archives