DHS Releases Worm Detection Tool

By Matthew Harwood

The Department of Homeland Security has released a free detection tool for federal and state agencies and private-sector partners that will scan their networks for the Conficker/Downadup worm, a malicious piece of software that has already burrowed into millions of computers worldwide but has lain dormant so far .

“While tools have existed for individual users, this is the only free tool – and the most comprehensive one – available for enterprises like federal and state government and private sector networks to determine the extent to which their systems are infected by this worm,” said US-CERT Director Mischel Kwon in a statement.

The detection tool developed by the U.S. Computer Emergency Readiness Team (US CERT) has been made available to federal and state partners through the Government Forum of Incident Response and Security Teams Portal as well as private-sector partners through Information Sharing and Analysis Centers.

Security researchers say that the Conficker/Downadup worm is set to receive a code update tomorrow, April Fool's Day.

The worm attacks computers that run Microsoft operating systems and can be spread by thumb drives, network shared drives, or directly across a corporate network if it has not been patched. Microsoft released a patch for the vulnerability that Conficker exploits last October. US CERT recommends anyone using a Microsoft operating system download the patch, run up-to-date antivirus software, and disable the Autorun feature within Windows.

Another way to discover if you're a Conficker worm victim is to try to access your security solution's Web site or to try and download detection and removal tools. If you can't, your machine may be infected. Any machine suspected of infection should be removed from the network, or if it's simply a home computer, disconnected from the Internet, advises DHS.

Those users cruising the Internet for detection and removal tools, however, should be careful, says F-Secure—cyberthieves have already set up a fake Web site,, to capitalize on the Conficker fear.

While security researchers have tried to downplay worries about Conficker's code update tomorrow, according to Information Week, the fear is that the update may activate the malware and turn millions of infected machines into a botnet, a zombie army of computers doing the puppetmaster's bidding. Will Conficker unleash a massive denial of service attack? Or will it steal personal information from infected computers? Will it do ... nothing?

No one will know until tomorrow, but the hope is that the worm's update is benign not malicious.

CORRECTION: A previous version of this story called the worm "Conflicker," when it is "Conficker," without the "l."


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.