Conficker's patch gambit exposed by researchers
One technique used by the Conficker worm is to patch vulnerable Microsoft-based computers it has invaded in order to hide and prevent other malware from invading. One vendor, Qualys, says it upgraded its scanner Tuesday to be able to tell real Microsoft patches from stealthy Conficker patches.
"Last week researchers from the University of Bonn found out that once the worm installs itself, it closed that vulnerability [related to MS08-067] because it didn't want other people taking over the machine," says Wolfgang Kandek, CTO at Qualys. "But the Conficker patch looks different."
The work of the Bonn researchers in differentiating a real Microsoft patch from Conficker's stealthy bogus patch has provided the basis for Qualys upgrading its scanning engine to be able to be able to differentiate between the two, Kandek says. "The Conficker patch looks different. Before today, we'd say, you seem to be patched," he says. The scan could uncover machines that weren't suspected of being Conficker-infested.
The Conficker worm is set to activate April 1and security experts say it constitutes a serious threat Kandek says he agrees it constitutes a threat, but his own guess is that there won't be severe attacks from it Wednesday, though there could be evidence of network slow downs in some places.
Several antimalware vendors are offering tools to detect and eradicate Conficker, and Tuesday the Department of Homeland Security announced a free Conficker detection tool of its own.