Conficker

Slowing or stopping the advance of the Conficker worm is a tremendous patch management and configuration management challenge.  The problem is that organizations have a hard time knowing what patches are really installed and how systems are actually configured.   Small organizations or individuals may be able to retain control, but most organizations are in  a constant state of flux: new  physical computers join the network, configuration settings change, and new software applications are added.  The problem has gotten even worse with the increased emphasis on virtualization.  Tools made by companies like Microsoft and Symantec require Agents – software for managing patches and configuration settings — be installed on the systems they are trying to protect.  If companies can’t get an agent installed on a machine, they can’t find it, and therefore can’t fix it!  The only realistic approach is to have patch management and configuration management software that can work without the need to install agents and has the ability to assess and fix both physical and virtual machines.   The Conficker.C variant is particularly nasty in that it targets security software in an effort to disable or render it ineffective.  The worm actually blocks the Microsoft patch management agent.   At Shavlik we focus on making technology that is simple and does not require software (agents) on the target computer.  We have always done this, and at a time like this, our product is uniquely qualified to combat the threat of Conficker.C!

We can talk about our free assessment for the missing patch and misconfigurations.

More details at:

http://www.shavlik.com/landingpage/20090326-conficker.aspx

Conficker.C: Will this virus make us April fools?

From Jason Miller:

A new version of the Conficker virus is scheduled to become active on April 1st.  In early March, security researchers discovered the third variant of this virus, called Conficker.C.  The first two variants of the Conficker virus gained a lot of attention from the media security experts since first discovered in October.  While these variants generated hype, infection rate was minimal.

How was the infection rate kept low?  Security researchers were able to thoroughly research and block the effects of the virus.   Domain names the virus used were identified and taken offline by security researchers, effectively reducing the functionality of the virus and preventing it from establishing a controlling server.

The Conficker.C variant has undergone a major transformation into a potentially more malicious virus.   The author of the Conficker virus has obviously been monitoring the activities of the security researchers and has made changes that could finally unleash the full potential of the virus.

The Conficker author has added in functionality to reduce defense mechanisms against the virus.  The virus will monitor active processes on machines.  If the process is one of many security tools, such as MSRT, Microsoft Windows Update, or various antivirus programs, the Conficker worm will shutdown those processes.  By doing so, security tools could be rendered useless on an infected machine.  In addition to rendering security tools useless, the Conficker virus will kill any attempt to apply the MS08-067 patch.  This is considerably alarming to me.  We have stated many times the first line of defense is to patch any and all machines on your network.  After patching your machines, you can run security tools to remove the virus.  If your systems are patched, you prevent the systems from being infected.  Patching a system also reduces the chance of re-infection of this worm.

Conficker.C will attempt to kill any process associated with the MS08-067 patch.  If you’re not already patched and you become infected, you have to remove the virus before patching. This increases the window of opportunity for the virus to spread.

On April 1st, 2009, the Conficker.C variant will become active.  It is unknown at this time what payload will be delivered from the controlling servers.  This could range from Botnets to SPAM to advertising servers for adware. It could do evil or it could do nothing.

To avoid becoming April fools, if not already patched take steps to deploy MS08-067. Administrators have about 10 days to scan for and deploy MS08-067 to ensure their systems are patched and ready for whatever this havoc virus will bring.