About Me

Kevin Beets

Kevin Beets

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

More Comments Regarding Conficker

Friday, March 27, 2009 at 3:07pm by Kevin Beets
Kevin Beets

A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.

First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)

The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.

But beyond anti-malware protection, what else can you do?

The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.

Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.

=== Update March 31, 2009, 7pm PDT ===

It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (8)

  • Jens January 16, 2010 9:35PM

    Always do updates to your system.

    Reply
  • MKV April 15, 2009 12:54PM

    McAfee is NOT doing any go in case of Conficker. Conficker is coming back to machines which have Microsoft patch and latest DAT.
    McAfee support’s performance is really poor. Sometimes they answer like they are not IT guys et all.

    Reply
  • RS April 6, 2009 8:42AM

    I am very unhappy with McAfee in regard to Conficker virus. I download updates several times a week and run a virus scan weekly yet my machine got infected. What am I paying for?

    Reply
  • Robby Huybrechts April 3, 2009 7:34PM

    tried to download the detection tool and nothing happens, any suggestions?? Frustrated

    Reply
  • HWV April 3, 2009 7:04AM

    You don’t have to be a rocket scientists to know that IT folks world-wide will get some rest this weekend instead of doing restores/reloads/patches-n-scans. Between the OS updates and some keen antivirus tweaks — all of which were applied with automated technologies — all I need to do is monitor this weekend while I watch the Final Four.

    Thanx!!!
    hwv

    Reply
  • JPW March 31, 2009 4:37PM

    Hi Guys,

    we’re having a close look at our Proxy / FW Logs since some days.
    Blocking and logging some traffic help us to find some infected Clients, by looking for the search?q=somenumeric etc.

    this night we found one more request type looking like:
    http:///somepath/?setid=ki5s&affid=152174&uid=809A3E9C4E3711DDB81A152174CFFFFF&rid=mm5&guid=E52A179EB3E249CA823AE73304AA3105

    If you took the full URL, you will download a W32 file (dll) from the remote site.

    But I forgot, were to upload Samples :(

    BR
    JPW

    Reply
  • Al March 31, 2009 9:18AM

    Why cant you identify easily.
    Does your software on my computer protect me from this or do I have to wait until infected and then do something about it.
    We Pay for software to protect our computers and then you keep coming out with new products that are required to protect us from all kinds of real or imagined threats. It now requires that we must spend hours researching every threat and deciding what we must do about it. Dam it we pay you for protection we should not have to spend hours doing the job you are paid for.
    Called your service people to ask if it was protected and in there Singlish which is very difficult to understand it took me 20 minutes to get an unacceptable answer. Basically the answer was we can do something if you are infected but until then we really cant do anything. Told them thought I was paying for protection not correction. Your service person thought that I was looking at things from the wrong point of view
    Not Happy with McAffee

    Reply
  • Janet March 30, 2009 10:47PM

    You have to be a brain surgeon to understand

    Reply