Personally, I think the Conficker worm might be a little over-hyped. After all, it's a symptom of a larger ongoing problem. So what ought to be pointed is that Microsoft's "secure by design" approach to software development has bugs. Not only that, but we can't expect people always patch their systems right away nor can we expect that people will go for having someone else automatically patch their systems without their direct overt consent.
Be that as it may, now that the Conficker cat is out the bag and generating a feline nation - so to speak - there's help for containment and cleanup.
When is the last time you heard of one piece malware fostering an entire working group to study it and offer information? Personally, I can't even remember.
The Conficker Working Group is a wiki-based site that offers information about how the worm works, what its intentions might be over time, how to help stop it, links to removal tools, and more.
So far Conficker hasn't done much of anything really unique. It installs an HTTP server, meddles with system settings, disables some types of security tools, tries to crack passwords, and so on. It also closes holes in Windows that it uses to gain entry, supposedly to defend itself against being overtaken by some other form of malware. There's a weak spot in that armor though. The folks over at Honeynet Project released some data about detecting Conficker along with Snort rules that will assist.
They also released a whitepaper, "Know Your Enemy: Containing Conficker," that among other things points out how Conficker's patching mechanism can be used against it for detection.
Dan Kaminsky points out that "Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you."
Of course there are numerous tools out there to help with detection and removal. Last time I counted there were at least 10, including mods to the popular nmap scanner found in version 4.85 beta5. You can find those here and here. Check the Insecure.org site for more data regarding Nmap's new detection capabilities.
So tomorrow, on April Fool's Day, a lot of people are expecting Conficker to do something sensational. What that might be, nobody knows - so what's the point of hyping it up? To get as many people worried as possible? Sheesh.
One thing's for sure. The sky isn't falling. Not yet anyway.
