Barracuda Web Filter, all versions.
Conficker, also known as Downadup and Kido, is a worm that spreads via malformed RPC request against Windows Server Service, which enables sharing of local computer resources. The vulnerability is documented under MS08-067.
The .B variant of the worm also spreads through removable network mapped drives and poorly protected network shares. Once on a machine, the worm phones home to 250 new domains per day for instructions.
Conficker.C began spreading on March 9, 2009.
A machine infected with Conficker.C generates a pool of 50,000 domain names and randomly select 500 domains to query for a command and control server. It is likely that this activity will only update a small number of Conficker.C installations. The worm also opens a peer-to-peer channel with other infected machines and it is expected that this will be the secondary means of disseminating command and control information.
Conficker.C has only been seen to spread by way of Conficker.B. Since the Barracuda Web Filter reports on Conficker.B infection activity, it is highly unlikely that a Web Filter customer would be infected by Conficker.C without already being aware of a problem.
Barracuda Networks has taken measures to identify the domains generated daily by the .B and .C variants and make them a part of the periodic Content and Spyware definition updates. This means that when Conficker tries to phone home to any of these domains, the Barracuda Web Filter will detect and block this activity, thereby keeping your network safe. Also, the infected machines can be easily identified through the Infection Activity information on the Status page as well as from reports. The infection will be tagged as "Conficker".
Note on Conficker.C
Microsoft patched this vulnerability in October of 2008. Customers who have been regularly updating their machines, typically by way of Automatic Updates, are unlikely to be affected by Conficker.
Customers who have not been running automatic updates should follow the procedures in the Microsoft Virus Alert cited below.
Microsoft lists the following warning signs of Conficker infection:
- Account lockout policies are being tripped.
- Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
- Domain controllers respond slowly to client requests.
- The network is congested.
- Various security-related Web sites cannot be accessed.
Microsoft virus alert: http://support.microsoft.com/kb/962007
Microsoft autorun patch: http://www.microsoft.com/technet/security/advisory/967940.mspx
Link to This Page: