//
you're reading...
Security

Conficker Worm

This is by far the most common worm I see on Windows systems at the moment.
If you are watching the network traffic the symptom you will see is that there are calls to the website http://Trafficconverter.biz
The worm utilises a flaw in Windows dating back to 2008. This is a classic example of poor patching and incomplete security. Of course, also some clever programming from the worm authors.
MS08-067 basically describes a mechanism where a vulnerable system will run arbitrary code (of the assailants choice) when received from the network in a particular fashion (“carefully crafted RPC requests”). A long list of Windows (2000 SP4, XP SP2, XP SP3, XP Pro, 2003 SP1, 2003 SP2, Vista, 2008 plus x64 variants of all these) versions are vulnerable and that was the secret of the initial run of infections.
But the worm is capable of creating hooks on the system that allow it to reinstall itself and occasionally install copies on systems that are not vulnerable to the original flaw.
The only way I have so far found that is 100% effective is:

  1. Take every PC/Server/LapTop machine that may have been exposed off the network.
  2. Scan every system thoroughly through a recent Conficker Scanner.
  3. Run the most recent removal tool available on all infected systems.
  4. Do not allow any system onto that clean network unless it has been scanned/cleaned.
  5. Patch every single machine.
  6. Update antivirus on all system.
  7. Disable AutoRun on every system.
  8. Scan for unusual HTTP ports on PCs (another symptom of infection).
  9. Ban LapTop users from connecting to untrusted networks, including their home network.

If this isn’t done then the worm, unfortunately, keeps reappearing.
Massively disruptive beast.
On the positive side, the Russian website mentioned above is currently live but no longer serving malicious code. It is also detected by most antivirus and antimalware tools.
References:
MS08-067
Wikipedia: Conficker
Sophos: Conficker removal tool
Kaspersky: Conficker removal tool

– Posted using BlogPress

Advertisements

About harlekwinblog

"Thoughts of an idle mind." Information Security professional.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

RSS This Blog…

  • An error has occurred; the feed is probably down. Try again later.

Share me…

Bookmark and Share

Twitter Updates

May 2011
S M T W T F S
« Apr   Jun »
1234567
891011121314
15161718192021
22232425262728
293031  
%d bloggers like this: