Qualys Adds Remote Detection of the Conficker Worm

Qualys has added remote detection of the Conficker Worm, which has been spreading in corporate networks since November of 2008. This detection has been added to QualysGuard Vulnerability Management in order to help organizations remotely identify the multiple variants of this worm and control its spread within enterprise networks.

Conficker is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability announced in October 2008. It can spread to corporate network shares that are not protected with strong passwords and by infected USB sticks. Conficker creates a file that runs automatically on all mapped drives which is executed when the drive is accessed and then spreads to other drives connecting to an infected machine. Once a system is infected, Conficker blocks all access to security-related Web sites, preventing users from updating security software from those Web sites.

Conficker leaves a fingerprint on infected machines that can be detected remotely by using special RPC calls. The QualysGuard detection for Conficker is in QID1227, categorized as urgent with severity level 5, and the detection identifies all variants including Conficker.A, B, C or W32.Downadup.B. Organizations are encouraged to scan their global networks in order to identify infected systems, use Antivirus/Antispyware to remove the infection and then apply the Microsoft Patch from Security Bulletin MS08-067. As of late January 2009, 30 percent of all Windows machines remained unpatched.

write your comments about the article :: 2009 Computing News :: home page