More Comments Regarding Conficker
Friday March 27, 2009 at 3:07 pm CST
Posted by Kevin Beets and Karthik Raman
A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.
First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)
The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.
But beyond anti-malware protection, what else can you do?
The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.
Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.
=== Update March 31, 2009, 7pm PDT ===
It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!
March 30th, 2009 at 22:47
You have to be a brain surgeon to understand
March 31st, 2009 at 09:18
Why cant you identify easily.
Does your software on my computer protect me from this or do I have to wait until infected and then do something about it.
We Pay for software to protect our computers and then you keep coming out with new products that are required to protect us from all kinds of real or imagined threats. It now requires that we must spend hours researching every threat and deciding what we must do about it. Dam it we pay you for protection we should not have to spend hours doing the job you are paid for.
Called your service people to ask if it was protected and in there Singlish which is very difficult to understand it took me 20 minutes to get an unacceptable answer. Basically the answer was we can do something if you are infected but until then we really cant do anything. Told them thought I was paying for protection not correction. Your service person thought that I was looking at things from the wrong point of view
Not Happy with McAffee
March 31st, 2009 at 16:37
Hi Guys,
we’re having a close look at our Proxy / FW Logs since some days.
Blocking and logging some traffic help us to find some infected Clients, by looking for the search?q=somenumeric etc.
this night we found one more request type looking like:
http:///somepath/?setid=ki5s&affid=152174&uid=809A3E9C4E3711DDB81A152174CFFFFF&rid=mm5&guid=E52A179EB3E249CA823AE73304AA3105
If you took the full URL, you will download a W32 file (dll) from the remote site.
But I forgot, were to upload Samples
BR
JPW
March 31st, 2009 at 20:18
[...] Â “More Comments Regarding Conficker“ [...]
April 3rd, 2009 at 07:04
You don’t have to be a rocket scientists to know that IT folks world-wide will get some rest this weekend instead of doing restores/reloads/patches-n-scans. Between the OS updates and some keen antivirus tweaks — all of which were applied with automated technologies — all I need to do is monitor this weekend while I watch the Final Four.
Thanx!!!
hwv
April 3rd, 2009 at 19:34
tried to download the detection tool and nothing happens, any suggestions?? Frustrated
April 6th, 2009 at 08:42
I am very unhappy with McAfee in regard to Conficker virus. I download updates several times a week and run a virus scan weekly yet my machine got infected. What am I paying for?
April 15th, 2009 at 12:54
McAfee is NOT doing any go in case of Conficker. Conficker is coming back to machines which have Microsoft patch and latest DAT.
McAfee support’s performance is really poor. Sometimes they answer like they are not IT guys et all.
January 16th, 2010 at 21:35
Always do updates to your system.