Critical System Protection

  • Private Community
 View Only
Back to Library

Is Symantec Ready for Conficker (Downadup)? Yes! 

Mar 31, 2009 01:26 PM

Interest in the Conficker (or Downadup) is reaching a frenzied peak.  As media interest in this worm continues to rise, customers are asking if Symantec is ready for Conficker. The answer is a resounding yes.  Symantec customers are already protected (as long as they are running the latest AV and IPS definitions). This article provides a short overview of Conficker (Downadup) and the protection offered by Symantec products.
 
Background
Conficker first appeared in late 2008 as the first worm in the wild to leverage a newly reported vulnerability in Microsoft Windows’ Remote Procedure Call (RPC) service (MS08-067).  Symantec named the worm Downadup, but over time the popular name for this threat has become Conficker.  Symantec customers were quickly protected from the vulnerability with newly released IPS and AV signatures. 
 
In late November,  a new variant (.B) was detected which added a Swiss Army-like collection of new tricks in the hope of spreading the threat far and wide and infection rates began to pick up and grow again in non-Symantec customers. Symantec Security Response has been monitoring the evolution and growth of the threat using its extensive honey pot network.  As of our most recent statistics, there are roughly 1.75 million Downadup infections worldwide.
 
Most recently (in early March) Symantec was the first company to detect a significant new variant of the threat (.C) which was silently downloaded to infected machines. The (.C) update increased the robustness of existing infections and made them harder to detect and remove. The new version of the threat includes new logic to protect itself further from detection by security software however this should not affect Symantec software because we already block the threat before it ever has a chance to run.
 
The following table summarizes the different flavors of Downadup/ Conficker:
 
 
W32.Downadup
W32.Downadup.B
Downadup.C
Propagation Method
MS08-067 Exploitation
MS08-067 Exploitation
File Share brute forcing
Removable Media Infection
Removed
Command & Control
HTTP
HTTP
Primitive P2P
Improved HTTP
Robust P2P
Defense Techniques
None
Kills some DNS lookups
Kills AutoUpdate
HTTP Code Signing
P2P Code Signing
Kills some DNS lookups
Kills AutoUpdate
Kills Security Software
Advanced Anti-Analysis
P2P & HTTP Code Signing
 
What does Conficker do?
No one yet knows the full purpose of Conficker. To date, infected machines appear to be dormant members of a new bot network largely awaiting further instructions.
 
 
Am I protected?
Symantec AntiVirus products protect customers from this threat using the following definitions:
 
Symantec Intrusion Protection System (IPS) protects customers from this threat using the following signatures:
 
 
Should anyone get infected (e.g. if they are not running Symantec products) Symantec has published a fix tool which can be used to remove the malware from infected machines. That tool can be found here.
 
So what happens next and why is everyone talking about April 1st?
Security Technology and Response engineers have discovered that the next phase in the Conficker story is expected on April 1st.
 
The latest version (.C) of threat has a more complex mechanism for attempting to update itself over the Internet. With previous versions of the Downadup, each infected computer would attempt to contact 250 new websites every day for possible further “attack instructions”. Machines infected with the new version will check 500 random websites per day out of a total of 50,000 possible sites (each infected computer will check its own distinct set of 500 sites). This new version of the threat will not begin to contact these websites until April 1, 2009. On that date we expect a new set of instructions to likely be sent to infected machines which will no doubt change the behavior yet again as the cat and mouse game continues. As before, we continue to monitor the active infections in our honey pot network. The stakes are high but we believe that our customers are fully protected as long as they have our latest AV and IPS signatures deployed on their systems. 
 
More Information
1)      Enterprise customers can find more details here.
 
2)      Consumer / Norton customers can find more details here.
 
3)      The Symantec removal tool can be found here. A link to this has been published in the latest US-CERT advisory here.
 
4)      Watch CBS correspondent Leslie Stahl talk to Steve Trilling, Symantec VP Security Technology & Response, on 60 Minutes about the impact of the Conficker here.
 
5)      The Downadup Codex - A comprehensive guide to the threat’s mechanics.  This paper provides a detailed analysis of the threat.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Apr 15, 2009 01:45 PM

Yeah, Symantec has defs for the "E" variant as well.
http://www.symantec.com/security_response/writeup.jsp?docid=2009-040823-4919-99&tabid=1

Most of the vendors had them by 09th April
http://www.virustotal.com/analisis/720ed51914637344b03e2f702c722170

Migration User
Apr 14, 2009 01:06 PM

Such proactive alerts will help business to minimize business risks, since most of them were not affected with conflicker, nice posts posted from forum members.

riva11
Apr 09, 2009 09:26 AM

I read on TrendLabs article DOWNAD/Conficker Watch: New Variant in The Mix? a new variant called WORM_DOWNAD.E.
Any Symantec news about it?

Migration User
Apr 05, 2009 02:23 PM

 1st April with Conficker has gone away , but I wonder if there is some other attack scheduled for next months ?

Migration User
Apr 05, 2009 09:13 AM

The threats that were being downloaded has been stopped and it's all happened in a very well synchronized way. We are just confused as what's happening. There were instances of conficker that were being detected, On some server's they were deleted, on other's failed. We don't see any other reason for the maker's of conficker to download the threat and infect the system unless they want to distract the attention with the real purpose being something else as everyone was prepared in a way for D-Day. We are into the process of examining the system state after 01st april though there arent any more threats being detected. We are also awaiting a report by Symantec for the global effects specifically for the conficker - 01st April and beyond. That is very important for us.  

Migration User
Apr 03, 2009 01:48 PM

We'll post information in the blog section as new developments are available.  Keep the comments coming, we appreciate them and are forwarding to folks internally as appropriate.

Eric

riva11
Apr 03, 2009 01:25 PM

No infections detected, in our sites all servers , desktops and laptop patch deployment worked well and the MS08-067 patch was on these systems within few day after Microsoft realease. Also Symantec virus defs were correctly updated. These two differents protections worked and the 1st April can considered closed with success.

Migration User
Apr 03, 2009 10:51 AM

Interesting update article on the register.

http://www.theregister.co.uk/2009/04/03/conficker_zombie_count/

Migration User
Apr 02, 2009 02:39 PM

What are others experiencing?  Keep us informed!

Migration User
Apr 02, 2009 01:49 AM

Okay, we had some servers that had been infected with the conficker. On 1st April we noticed that there were too many threats that were being detected but not cleaned(Failed). So, We suspect that conficker is acting as a downloader for other threats now but can this just be the cover fire?

Migration User
Apr 01, 2009 02:14 PM

Sorry to hear about your infection.  There is a good summary of Downadup in the KB article at this link:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648

But more importantly, it has a link to the Symantec fixtool. That should help you get rid of the infection. If the worm is blocking access to our web site, there is a simple solution to turn off that 'feature" of the worm documented there too.

Good luck.

justscott
Apr 01, 2009 08:40 AM

I have seen absolutely nothing on the corporate front, however I did have someone say that their home machine was infected...I passed him along the removal tool.

I run SEP 11 MR4 in the office, and I'm not sure if he even had antivirus at home.   But since I have not come across the worm, I am unable to test removal, but I assume just running the tool exe removes everything?

Migration User
Apr 01, 2009 05:14 AM

My system was infected by w32.downadup.B starting last week. This worm spreads from pc without SEP (Windows 98). How can I handle this problem? My system using win 98, win XP & win 2000, win XP & win 2000 protected by SEP. 

Migration User
Mar 31, 2009 11:04 PM

Just as an update, It's 03:04 a.m. in the GMT right now and lot of our servers have the local time past that. No unusual activity noticed at the Antivirus \ Firewall Level(Perimeter).
 

Migration User
Mar 31, 2009 05:43 PM

Any possible updates to W32.Downadup.C will only start to take place once it is the 1st of April 2009 in the GMT time zone. So we have a little more time before we find out what happens.

Migration User
Mar 31, 2009 03:47 PM

In many parts of the world it is already April 1st...I don't believe this is just central to your specific time zone.

Migration User
Mar 31, 2009 03:19 PM

I can't predict the future, but the most likely scenario is that no major incident happens tomorrow.  Infected machines are updated to a more efficient communication method on the 1st.  But that doesn't mean whoever is behind Conficker will actually begin using those machines.

Tomorrow would not be a great day for the bad guys to try something.  Symantec, other security organization, law enforcement, the press and a whole lot of other people are going to be watching them pretty closely tomorrow. If something happens we'll know right away.  And we'll take whatever steps needed to keep people protected.


Migration User
Mar 31, 2009 03:07 PM

Ah, didn't realize the links in the article had the dates in them. Sorry about that. So defs after 3/6 should be safe from all three variants. Good to know, thanks!

Migration User
Mar 31, 2009 03:06 PM

Here's the three AV signatures for Downadup and date of release.

W32.Downadup  (Released: Nov 21, 2008)

W32.Downadup.B (Released: Feb 20, 2009)
W32.Downadup.C  (Released: Mar 6, 2009)


Migration User
Mar 31, 2009 02:05 PM

Can someone confirm exactly which definitions include these fixes? "Latest" is relative. Are last week's defs good enough? Yesterday's? Thanks

Migration User
Mar 31, 2009 01:50 PM

Even though my SEP is up-to-date on all my workstations and servers, and I am confident that I am not infected, I'm still concerned as to what activities will be executed come tomorrow.

Migration User
Mar 31, 2009 01:32 PM

As you may know, Symantec discussed this last week on the CBS show "60 Minutes." With the spike in online chatter and search we've seen on our site, we wanted to provide some additional information regarding the Conficker virus.   Let us know what you think - the "big day" is April 1...

Related Entries and Links

No Related Resource entered.