Protection Against Conficker

If you are reading this blog, you probably already know what Conficker is. If you don’t, then Conficker is one of the prominent viruses from last few years that continues to infect computers running Microsoft Windows through its several variants. Conficker is also reportedly building a botnet of the infected machines; botnets are used to generate spam and launch Distributed Denial Of Service (DDoS) attacks. A report earlier this year by Qualys indicated that 1 in 10 computers running Windows are still vulnerable to Conficker attack i.e., these computers have still not been patched.

Conficker spreads by exploiting a buffer overflow vulnerability in Windows software while parsing crafted RPC messages (CVE-2008-4250).

Palo Alto Network’s next-generation firewalls provide a layered approach to security in controlling malware attacks. For Conficker, following levels of security are provided:

  • Using App-ID, block “msrpc” application from Internet to Intranet

“msrpc” application identifies Microsoft RPC messages which are used to spread Conficker. For most enterprises, there is no reason to allow RPC messages originating from Internet to the private network.

  • Using Content-ID IPS signatures, block RPC attack traffic

Threat IDs 32953 and 31922 identify malicious RPC traffic and would block such traffic at the perimeter of the private network thereby protecting the computers in the private network.

  • Using Content-ID File Blocking feature, block all DLL downloads from Internet

After compromising a computer using RPC vulnerability, Conficker downloads itself as a malicious DLL file. Using our File Blocking feature, one can stop downloads of DLL files from Internet to Intranet.  Note that the device can still be configured to allow DLL files download from Internet if such a request was made from within Intranet.

  • Using Content-ID Antivirus protection, block downloads of malicious DLL files

Our antivirus signatures are not third party developed, but are developed by the same threat team that discovers vulnerabilities in popular software and also releases signatures to protect against them. Our antivirus protection can stop downloads of malicious files and complements the antivirus protection available at endpoints.

However, if a computer is already infected with Conficker malware (e.g., employee laptop got infected at home), we can detect Conficker DNS and P2P traffic using spyware signatures.