Worried about the Conficker worm? A few simple steps can protect you.
Target: All users of Windows XP and Windows Vista.
The Conficker worm, sometimes called Downadup or Kido, has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. Systems with Symantec Endpoint Protection or Symantec AntiVirus are protected, since these products will detect and remove this worm. Users who lack protection are invited to download a trial version of Symantec Endpoint Protection. Symantec recommends using Network Threat Protection along with antivirus scanning in Symantec Endpoint Protection to proactively prevent the threat from being downloaded to a system.
New variant, Downadup.E, found in the wild
This new variant was found in the wild on April 8th, 2009. Detection was added in Rapid Release definitions with a sequence number of 93981 (April 8, 2009 rev. 25) as W32.Downadup. Security Response gave this variant its own detection starting in Rapid Release sequence 94023 (April 9, 2009 rev. 9). Our initial analysis showed this variant functions similarly to the original W32.Downadup variant. As noted in our blog, this new variant appears to be dropping W32.Waledac. Detection for this W32.Waledac sample was added in Rapid Release definitions with a sequence number of 93978 (April 8, 2009 rev. 22) For more information on this threat's functionality, see the Security Response write-up on W32.Downadup.E.
Downadup.C and April 1st
This new variant of the threat is specifically used to enhance the capabilities of previously infected machines. Computers which remain infected with a previous variant of the W32.Downadup family will download a copy of W32.Downadup.C to enhance the capability of the existing threat. Further details on the operation of earlier versions of the Downadup family are provided below in this document.
Some of the notable features of Downadup.C:
- Increased command and control domain possibilities. The original variants of W32.Downadup(.B) check 250 domains per day for any new payload from the controller. The new variant now contains an updated algorithm where each Downadup.C infection will check 500 random domains per day out of a total of 50,000 possible random domains. This makes it more difficult for security companies to monitor all of the domains. At the same time, it also will presumably make it more difficult for the attacker to distribute further "attack instructions" to existing Downadup.C infections, since it won't be practical for the attacker to post attack code on all 50,000 sites. Downadup.C infections will not begin contacting these Web sites until April 1, 2009.
- Introduces new anti-detection measures. The new variant of the threat includes a list of strings which it searches for in running processes. It kills these processes if it finds a match. The strings are a method of stopping antivirus process, as well as debugging tools. Examples of strings that it searches for include "wireshark," "confick," "downad," "ms08-06," and "kb958."
The previous versions of Downadup can spread in 3 different ways:
Attack Vector #1: Attack of a Windows Vulnerability
Downadup can infect a computer by attacking a particular vulnerability in Windows. This vulnerability was announced by Microsoft in October 2008, and MS issued a patch for the vulnerability at that time. However, many Windows users have still not installed this patch from Microsoft. All such unpatched users are vulnerable to attack from Downadup. An unpatched computer can become infected with Downadup simply by connecting to a network that has at least one infected machine. Any machine which has applied the Microsoft patch is not susceptible to this particular method of attack.
Attack Vector #2: Drive sharing
In corporations, many people share files with their colleagues by turning on the Windows "drive sharing" feature. This feature allows a user to connect directly to another user's hard drive to copy or edit files. Downadup exploits Windows drive shares. Once it has infected a computer inside a corporation, Downadup automatically copies itself to all visible open drive shares on other computers inside the corporate network.
Attack Vector #3: USB drives
Downadup can also spread from one computer to the next through USB drives (e.g., thumb drives). If a user's computer becomes infected with Downadup, and then the user puts a USB key into the computer, Downadup automatically copies itself to the USB drive. When the infected USB drive is inserted into another machine, Downadup automatically runs from the USB drive and infects the new computer.
Protection Details (Am I protected?)
Yes, if you are running either a Symantec Corporate antivirus product (Symantec AntiVirus or Symantec Endpoint Protection) or a Norton AntiVirus product (Norton Internet Security, Norton AntiVirus, or Norton 360) with definitions dated March 6th 2009 revision 36 or later. The following Symantec writeups describe the signatures that provide immediate protection against the current known variants:
- W32.Downadup (Released: Nov 21, 2008)
- W32.Downadup.B (Released: Feb 20, 2009)
- W32.Downadup.C (Released: Mar 6, 2009)
- W32.Downadup.E (Released: April 9, 2009)
Symantec Intrusion Protection System protects customers from this threat using the following signatures:
Additional recommended measures
- Install all publicly available Windows patches.
- Use a Symantec Intrusion Protection System to block attempts to exploit known vulnerabilities. (MS08-067 was an early attack vector for this threat, which is blocked by Intrusion Protection.)
- Use Symantec Endpoint Protection policy enforcement to restrict access to USB drives and disable autorun.inf files. These are commonly used as attack vectors to spread new threats.
Detailed Symantec Protection Notes
Symantec client security products have two basic levels of protection for Downadup:
- Network-based Protection
Symantec Corporate products (Symantec Endpoint Protection and Symantec Client Security) and Norton products (Norton AntiVirus, Norton Internet Security, and Norton 360) have what is known as "Intrusion Protection System" or "IPS" technology. This technology monitors network traffic going to and from each client computer. The IPS technology prevents Downadup from getting onto a computer in the first place by scanning all network data arriving at the computer and blocking suspicious transmissions that may be attempting to exploit the Microsoft vulnerability (Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability). The Symantec IPS protection will also stop attempts by Downadup to copy itself from one computer to the next using open drive shares ("Attack Vector #2," above).
Symantec IPS protection is a critical differentiator in the efforts to stop this thread because it can prevent the threat from ever getting onto a computer in the first place, even if the computer has not been patched. Note that IPS technology is not included in the Symantec AntiVirus product line.
- Antivirus Protection
All of Symantec's client security offerings (Symantec Endpoint Protection, Symantec AntiVirus, and Symantec Client Security) include antivirus signatures for Downadup. The Symantec antivirus signatures are powerful enough to detect multiple different strains of the Downadup threat automatically.
- USB protection in Symantec Endpoint Protection
Symantec Endpoint Protection includes functionality that can be used to prevent any program on a USB key from running automatically when the USB key is inserted into a computer. For more information, read the following knowledge base articles on the topic:
- How to block USB Thumb Drives and USB Hard Drives, but allow specific USB Drives in the Application and Device Control Policy in Symantec Endpoint Protection
- How to block USB flash drives while allowing other USB devices
- How to use Application and Device Control to block all USB devices except those I specifically want to allow
Remediation: If you have infected computers
- Use the fix tool
Symantec provides a stand-alone removal tool for Downadup, Downadup.B, and Downadup.C to help customers that are infected with this threat.
- Disable the Downadup domain blocking
On infected computers, Downadup may block your connection to Web sites that can help you, such as www.symantec.com. To defeat this behavior, click Start > Run, and type the following:
net stop dnscache
This disables the blocking, and allows you to connect to security vendors' Web sites.
Run Symantec Endpoint Protection, Symantec Multi-tier Protection, or Symantec Multi-Tier Protection Small Business Edition to protect your endpoints from this threat.
You can also exchange ideas and developments on Downadup in the SymConnect Forums.
Detailed blogs on Downadup and other malicious programs can be found on Symantec's Malware Blog. Additional details can be found in the Security Response white paper, The Downadup Codex.