A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.
First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)
The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.
But beyond anti-malware protection, what else can you do?
The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.
Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.
=== Update March 31, 2009, 7pm PDT ===
It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!