Sunday, April 5, 2009

Conficker Eye Chart & Open Source Conficker-C Scanner/Detector

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.


SRI International's Malware Threat Center has released the code to their scanner/detector for Conficker's "C" version. The official locations are:

Conficker C P2P Detection Modules (SourceFire ported the SRI module to their SO rule interface):

SO Version:
Conficker C Network Scanner:
Source Code:
If any readers have used SRI's tools and want to comment about them, please use our contact form or login and use the comment feature below.

We want to again express our thanks to the team at SRI International for their ongoing analysis of the Conficker worm, as well as to all of the volunteers of the Conficker Working Group who continue to coordinate the mitigation of the worm's effects.

No comments:

Post a Comment