Skip to content

A Worm by Any Other Name…

March 31, 2009

Call it Downup, Kido, or Conficker — regardless of the moniker, the Conficker worm is ready to trigger this Wednesday, April 1st.  Of course, worms, bots, and other malware are nothing new, but Conficker is almost unique in it’s trickiness, covering its tracks well and disabling key system services on Windows hosts to ensure that it isn’t found.  As you might expect, the payload of Conficker is equally malicious, providing the ability to both pull down executable malware as well as push it out to other systems on the local network.  Perhaps most disturbingly, it attempts to “un-patch” previously patched holes in key system files related to NetBIOS and other services — in effect, circumventing organizations’ vulnerability management systems.

Despite the fact that Microsoft has had a patch issued for the initial vulnerability that Conficker attacks since October 2008 (before the first variant of Conficker was even released), estimates are that up to 30% of all susceptible Windows systems are not currently patched, and are vulnerable to Conficker.

So, how do organizations stop this kind of harsh code from affecting their environment?  Fortunately, like any complex piece of network-intensive code, Conficker leaves some significant footprints that can be monitored:

– Unusual Services.  Most variants of Conficker establish an HTTP server that listens on unusual ports (between 1024 and 10000).  If you’re not running known web servers on high ports, this should be an immediate sign that there may be a problem.

– Changing Account Lockout Policies.  Because Conficker relies on brute-force attacks to get to certain resources (such as the ADMIN$ share), it attempts to reset the account lockout policy on systems.  If these values change from your established baseline, this may be an indication of infection.

– System Performance.  Windows domain controllers are particularly susceptible to performance impacts caused by Conficker.  If authentication times and/or system performance (particularly network metrics) are being impacted across your DC’s, you need to drill-down to the root cause of this problem.

– Network Traffic.  Conficker generates a lot of NetBIOS-based traffic due to both brute-forcing, as well as attempts to propagate itself.  Monitor your network segments carefully; if you identify a significant change in the pattern of traffic (particularly spikes in NetBIOS traffic), then you should immediately launch a forensic analysis.

– Vulnerability Scanner Identification.  And of course, it’s important to ensure that signatures are kept up-to-date for enterprise vulnerability scanning software, and that scans occur on a regular basis.  While many vulnerability scanning tools have signatures for Conficker, some do not.

You can use a multitude of tools to check for this kind of data — albeit the manual correlation of data is going to take a while, so if you’re using lots of different tools, reserve your conference rooms for tomorrow right now.  Of course, a single person could also use eIQ’s SecureVue to provide a single, consolidated view of all the data you need to track down pervasive malware like Conficker: log and event data, config and asset data, vulnerabilities, performance, and network flow.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: