Conficker is back in the news as there are reports of new variants popping up. I'm sure that you've all heard the news and hype about how many endpoints Conficker has infected, and even more speculation on what the bot herder will do with the massive botnet. Here's some background info on Conficker and what we can do to stop it:
Conficker (aka Downadup), is a computer worm that targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and the Windows 7 Beta. Conficker spreads via this buffer overflow vulnerability in the Server Service on Windows machines. The worm employs a specially crafted RPC request to execute code on the target computer.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It receives further instructions by connecting to a server. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
Palo Alto Networks devices can stop the worm via:
- - Antivirus download signatures
- Vulnerability protection for MS08-067
- Phone home signature for infected hosts
Here are some other interesting articles about Conficker: