DHS releases its Conficker tool...for the public sector
In the wake of yesterday's discovery that the Conficker worm can give hints to its presence on a system in a Windows-based network by changing the network signature of that system, the US Dept. of Homeland Security released what the chief of its US-CERT division says is "the most comprehensive [tool] available for enterprises like federal and state government and private sector networks to determine the extent to which their systems are infected by this worm."
But its use, says a DHS statement published yesterday, is limited to computers -- including network infrastructure systems -- operated by the federal government and its private sector partners. For that reason, DHS says, it's distributing this detection tool only through its secured channels. Specifically, government sources may acquire the tool through the Government Forum of Incident Response and Security Teams (GFIRST) portal; and private sector partners may contact their designated Information Sharing and Analysis Center (ISAC).
For the rest of America, DHS suggests they apply a simple test to see if their system is infected, whose description may not exactly fill folks with confidence: "The presence of an infection may be detected if users are unable to connect to their security solution Web site or if they are unable to download free detection/removal tools."
In other words, if people are having a hard time finding their detection tool, that could be a sign. Compounding the problem -- especially for novices to computing -- is the fact that Microsoft's Malicious Software Removal Tool (MSRT) isn't something that presents itself in an obvious location for Windows users. In fact, some users (myself included) often resort to simply downloading the latest version rather than hunt down the executable, simply because installing it triggers it to run.
Ordinary citizens are advised to refer to Microsoft's own information on the subject, which includes how to retrofit oneself with the latest MSRT. That edition was published on March 10 (last Patch Tuesday), and does include Conficker's four known variants among the signatures it scans for.
But for novice users who may be taking the government's notice too literally, believing that because they can't find the MSRT then they may be infected, the news from Microsoft doesn't sound all that comforting either. At one point in the company's Conficker information page, it suggests that if you can't find MSRT, you actually shouldn't use it: "If you can't access those tools, try using the Windows Live OneCare Safety Scanner."
While all this is going on, regular press sources have been misinterpreting the DHS statement to make it appear that the agency has released its detection tool through Microsoft, and other sources drew the conclusion that the DHS tool was publicly available. Perhaps modern worms don't really need binary payloads to be effective these days.