New QualysGuard Detection Allows Organizations to Detect the Multiple Variants of the Conficker Worm on their Global Networks

Slough, UK, 31 March, 2009— Qualys, the leading provider of on demand IT security risk and compliance management solutions, today announced that it added remote detection of the Conficker Worm, which has been spreading in corporate networks since November of 2008. This detection was added to QualysGuard® Vulnerability Management in order to help organizations remotely identify the multiple variants of this worm and control its spread within enterprise networks.

Conficker is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability announced in October 2008. It can spread to corporate network shares that are not protected with strong passwords and by infected USB sticks. Conficker creates a file that runs automatically on all mapped drives which is executed when the drive is accessed and then spreads to other drives connecting to an infected machine. Once a system is infected, Conficker blocks all access to security-related Web sites, preventing users from updating security software from those Web sites.

Conficker leaves a fingerprint on infected machines that can be detected remotely by using special RPC calls. The QualysGuard detection for Conficker is in QID1227, categorized as urgent with severity level 5, and the detection identifies all variants including Conficker.A, B, C or W32.Downadup.B. Organizations are encouraged to scan their global networks in order to identify infected systems, use Antivirus/Antispyware to remove the infection and then apply the Microsoft Patch from Security Bulletin MS08-067. As of late January 2009, 30 percent of all Windows machines remained unpatched. 

“This new detection method allows IT administrators to remotely detect the Conficker virus directly on the infected machines without needing credentials or an agent installed. For many large enterprises, this represents an opportunity to perform a quick and non-intrusive audit of their patching efforts,” said Wolfgang Kandek, CTO of Qualys, who participated in the multivendor initiative over the weekend to implement this detection. “This security breakthrough will help many organizations tame Conficker and stop it from spreading within their networks. Special thanks to Dan Kaminsky and Rich Mogull for their efforts to pull the community together on very short notice, and for helping us add this detection within QualysGuard.”