Because Conficker patched its victims, enterprises had trouble detecting which machines on their networks had been compromised by running standard vulnerability scanners, which look for unpatched machines. Werner and Leder, however, found a way to tell a Conficker-patched PC from a legitimately patched computer.
"This makes detection very convenient," Kandek said, "because you can do remote scanning very quickly, without someone having to log into the system and look at the registry keys. It's not difficult to detect Conficker while you're on the system, but this lets an administrator quickly scan an entire subnet on the network."
However, the patch applied by Conficker does not completely plug the Windows hole. "It keeps the flaw open," said Kandek, "but only for the worm and for someone who knows how to exploit it." That's one reason why the Werner-Leder-Kaminsky scanner has raised eyebrows. Some worry that the tool could be used by other hackers, who might exploit the purposely incomplete patch to hijack the estimated 10 million to 12 million Conficker-infected PCs.
Kandek thought that was far-fetched. "I don't think the flaw will be exploitable by anyone other than the Conficker authors," he said. "This is a very smart and determined and updated team."
Also involved this weekend in the work was the so-called "Conficker Cabal," the ad-hoc consortium of security researchers, companies and organizations that combined forces in February to disrupt the worm's command-and-control infrastructure.
"It was a great effort," said Kandek, "and again, some nice coordination by Dan Kaminsky."
Werner and Leder will be publishing more information about their discoveries in a paper, "Know Your Enemy: Containing Conficker -- To Tame a Malware," which will be posted on the Honeynet Project's site when it's ready.