We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

Does the Barracuda Web Filter protect against the Conficker/Downadup worm?

  • Type: Knowledgebase
  • Date changed: 10 years ago

Solution #00004043

 

Scope:

Barracuda Web Filter, all versions.

 

Answer:

Conficker, also known as Downadup and Kido, is a worm that spreads via malformed RPC request against Windows Server Service, which enables sharing of local computer resources. The vulnerability is documented under MS08-067.

 

The .B variant of the worm also spreads through removable network mapped drives and poorly protected network shares. Once on a machine, the worm phones home to 250 new domains per day for instructions.


Conficker.C began spreading on March 9, 2009.

 

A machine infected with Conficker.C generates a pool of 50,000 domain names and randomly select 500 domains to query for a command and control server. It is likely that this activity will only update a small number of Conficker.C installations. The worm also opens a peer-to-peer channel with other infected machines and it is expected that this will be the secondary means of disseminating command and control information. 

 

Conficker.C has only been seen to spread by way of Conficker.B. Since the Barracuda Web Filter reports on Conficker.B infection activity, it is highly unlikely that a Web Filter customer would be infected by Conficker.C without already being aware of a problem.

 

Barracuda Networks has taken measures to identify the domains generated daily by the .B and .C variants and make them a part of the periodic Content and Spyware definition updates. This means that when Conficker tries to phone home to any of these domains, the Barracuda Web Filter will detect and block this activity, thereby keeping your network safe. Also, the infected machines can be easily identified through the Infection Activity information on the Status page as well as from reports. The infection will be tagged as "Conficker".

 

Note on Conficker.C

 

Microsoft patched this vulnerability in October of 2008. Customers who have been regularly updating their machines, typically by way of Automatic Updates, are unlikely to be affected by Conficker.

 

Customers who have not been running automatic updates should follow the procedures in the Microsoft Virus Alert cited below.

 

Microsoft lists the following warning signs of Conficker infection:

  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed.

Microsoft virus alert: http://support.microsoft.com/kb/962007

Microsoft autorun patch: http://www.microsoft.com/technet/security/advisory/967940.mspx

 

Link to This Page:

www.barracuda.com/kb?id=50160000000Hd82