There has been a lot of buzz lately about the Conficker worm that has been circulating and has now infected nearly 12 million Windows computers worldwide. But, not all the news regarding the Conficker worm is doom and gloom. Experts in the field have discovered a security flaw in the virus that will allow security administrators to isolated infected computers.
When the Conficker worm infects a computer, it applies its own version of the Microsoft patch that was released last October that fixes this vulnerability so that when the computer is scanned for patches, the vulnerability goes undetected. However, security researcher Dan Kaminsky said a research group found that it was far easier to distinguish a computer patched with the Conficker worm from a computer patched with Microsoft’s patch due to a flaw in the Conficker code.
From this, they have been able to create scanning tools that can help distinguish whether or not specific computers are infected with the Conficker worm or not because of the the Conficker flaw they found.
The problem with this type of resolution though is it could possibly give some criminals an opening into the botnet to create new worms that will allow them to take control of sections of the botnet.
Such an “anti-worm” might well be more destructive than the Conficker worm itself, Kaminsky said. “You would have to build something that is as virulent as the current worm, and be willing to become the kind of monster you’re trying to fight,” Kaminsky said. “No one can play counter-worm very well.”
If one good thing has come out of the Conficker flaw it is the discovery that it highlights weaknesses that can be found in almost all third-party security patches. Usually the security industry would release seperate security patches and scanners pertaining to a particular virus or worm to provide protection until a complete update is able to be released. But, those updates are generally produced by people who do not have access to the source code, thus not providing a 100% guarantee on patch success or not. The Conficker flaw has shown that systems really can’t be purged until they have a full cleaning with an updated scanning software made from the source code.