Protecting A Windows Network From Conficker

Conficker is a software worm affecting Microsoft Windows systems. Conficker, which is also known as Downadup or Kido, appeared initially in September of 2008. Microsoft released patch MS08-067 and an updated removal tool shortly after. There are two known versions of Conficker, known as Conficker.A and Conficker.B. Conficker.B operates differently but infects systems using the same vulnerability. Specifically a buffer overflow vulnerability in the Server Service. Since the server service is a requirement for Windows file sharing, leaving servers unpatched is not an option. While most major anti-virus packages can remove the infection, without patching the system is still vulnerable.

The Conficker worm's rapid proliferation demonstrates the dangers of keeping systems in production that are not patched, or not patched promptly after security patches are released. Unfortunately the necessity of Internet access in modern business requires keeping systems up-to-date. The number of infections also demonstrates the prevalence of such unpatched systems.

Well, hopefully your AV software alerted you. If for some reason that's not the case, you might have noticed that network traffic has suddenly increased to & from some systems. Automatic updates may have been disabled, or you may find Event entries for numerous failed logon attempts due to Conficker's brute force password cracking attempts.

You may ask: "Our servers are not accessible from the Internet. How did we get infected?" One possibility is that an employee with a laptop or a visitor who was on site, was given access to your network (whether plugged in to the LAN or given wireless access). With many networks, these users were then inside/behind your firewall, and any unpatched systems were vulnerable. Conficker can also spread via removable media, so portable drives or thumb drives from unknown or untrusted sources are suspect.

Conficker uses several techniques to avoid detection and removal, so you are likely not able to manually locate the Conficker files or undo the changes it made. Because of ACL changes Conficker makes on its files and in the registry, and a file lock in place while it is active, some tools may not be able to remove it. Fortunately, Microsoft's January release of their Malicious Software Removal Tool (MSRT) can remove it.

First, check that all your systems have Microsoft's patch MS08-067 applied. Next, download and run Microsoft's Malicious Software Removal Tool (MSRT). Third, update your Anti-Virus software. If for some reason host systems didn't have AV software, decide what to use and install AV software!

Most Anti Virus software protects against Conficker by now, and new releases of Windows operating systems don't have the vulnerability.

Simply keeping systems patched or using automatic updates is only one small part of securing your IT infrastructure. Comprehensive defense is set up in layers, from the network perimeter all the way to the individual applications your business relies on. You will want to consider the following protection options:

Review and change firewall settings.

Consider implementation of network or perimeter Anti-Virus protection.

Examine host-based firewall protection options.

Review and strengthen System Policy settings.

Quarantine new or visiting computers and removable media until they are screened for viruses and malware.

If you don't currently use Automatic Updates, look at the pros and cons and reconsider.

Details on how to implement these changes will be examined in follow-up articles.

These steps will not only protect against Conficker, they are the building blocks of an in-depth defense strategy against future worms and malware as well.