Protect your Enterprise Network (Corporate and Office)

Re: Conficker Worm Going Around

Crashoverride — Wed, 28 Jan 2009 11:24:40 GMT

those are just variants or so different naming convention for conficker ( as detected by other AV products ), and MS08-067 exploit is the one its using and recently other avenues as well.

Just an update there is now are 2 new variant Conficker.c and conficker.D

This would help

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Re: Conficker Worm Going Around

securityguy — Wed, 28 Jan 2009 07:13:38 GMT

sirs,

are both downadup and downadup.b covered by MS08-067 patch?

Re: Conficker Worm Going Around

badzmanaois — Wed, 21 Jan 2009 07:01:16 GMT

Bump...

"Widespread Confickr/Downadup Worm Hard To Kill - Attack more dangerous in the potential of its scope and the way it was waged than the worm itself": Their biggest victims have been the enterprise, not the typical home user, experts note. And that could mean millions of enterprise bots. "There's still no botnet activity. But that could easily change at any given moment," says Patrik Runald, chief security advisor for F-Secure, which has been watching the worm closely. "These millions of PCs try to connect to hundreds of Websites daily, and the people behind this could easily change the behavior of an infected computer if they wanted to."
How did enterprises fall for a worm? Security experts say poor patch management, antivirus software shortcomings, and lack of detection of outbound command and control traffic contributed to the worm's success.

http://www.darkreading.com/story/showArticle.jhtml?articleID=212901489

Re: Conficker Worm Going Around

jpaloma — Thu, 15 Jan 2009 08:23:22 GMT

Check out the Microsoft Security Bulletin MS09-001

Re: Conficker Worm Going Around

jasperjugan — Wed, 14 Jan 2009 11:24:30 GMT

FYI guys, patching alone is not a guarantee. You need to make sure that the whole network is clean. As mentioned in the articles it spreads via 4 ways generally:

1. removal drives

2. network shares

3. MS08-067 exploit

4. trying to run itself using a weak admin password list

So meaning, even if you deployed the patch, if one of these symptoms are still present, chances are it will spread out (especially if it exploits as admin account).

Also, we DO NOT recommend logging in using domain account especially domain admin accounts when cleaning up. use the local user accounts as much as possible.

Re: Conficker Worm Going Around

rockshock_zid — Wed, 14 Jan 2009 10:17:57 GMT

aside patch from microsoft, what we did is we also run removal tool from our anti virus.

Re: Conficker Worm Going Around

securityguy — Wed, 14 Jan 2009 10:03:22 GMT

is it possible that we have already applied the patches but there are still damages done to the computers infected?

because from our experience after applying the patch our anti-virus stopped its autoprotect against the downadup(also known as conficker worm)

points is, is applying the patch enough or there are further steps to be done?

Re: Conficker Worm Going Around

jpaloma — Wed, 14 Jan 2009 09:35:29 GMT

The Jan 2009 MSRT includes the removal for Conficker.

Re: Conficker Worm Going Around

Crashoverride — Wed, 14 Jan 2009 06:29:54 GMT

I sure want to keep this thread alive for reason that we found significant number of Conficker/Downad Worm variants that has evolved significantly now using the original rootkit module,brute force and dictionary attack on user password, file and registry locking sequence, autorun worm addetives, DoS capability as well as DNS poisioning package all in one - with the end product of backdoor access.

Again PLEASE proceed to Windows Update ASAP and update your Latest Security Application to the most recent pattern, as well as locking down external storages alien to your infrastructure or home PC's.

Just yesterday we found 2 unique variant in South East asia.

Re: Conficker Worm Going Around

Crashoverride — Fri, 09 Jan 2009 10:21:06 GMT

Hmmm well you should get not only the removal for the actual file but as well as the remnant files.... Patch up dude and clog down the use of removable drives and online drives.

rockshock_zid:

This is what we troubleshoot yesterday, the whole day and night

If you still have such issue buzz us we may extend some tools for you to use... for cleanup

Re: Conficker Worm Going Around

badzmanaois — Fri, 09 Jan 2009 05:39:42 GMT

The bloody patch was released in October; an out-of-band one at that (which would have already sent an administrator worth his salt a-patching).

I've a script which "tries" to identify the rogue services randomly generated by this worm (I didn't include any cleanup mechanism for lack of time):

http://badzmanaois.blogspot.com/2009/01/confickervbs-conficker-wormdownad.html

Re: Conficker Worm Going Around

rockshock_zid — Fri, 09 Jan 2009 04:43:40 GMT

This is what we troubleshoot yesterday, the whole day and night

Re: Conficker Worm Going Around

Crashoverride — Fri, 09 Jan 2009 04:40:26 GMT

And well it could be prevented by having the current windows update/patches in your system and checking USB/removable drives and similar before introducing such to any PC system.

Conficker Worm Going Around

jpaloma — Thu, 08 Jan 2009 12:23:15 GMT

Word has it that this worm is going around certain regions in Asia.

From the Microsoft Malware Protection Center

As expected, we are seeing another wave of attacks exploiting the vulnerability detailed in security bulletin MS08-067.

Early last week we blogged about MS08-067 exploits. At that time, the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume. The SHA1 hash of the malware is 0x5815B13044FC9248BF7C2DBA771F0E6496D9E536 and we detect it as Worm:Win32/Conficker.A.

Regarding the worm Worm:Win32/Conficker.B

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.