I’m sure just about every company’s security manager is aware of Conficker. This worm is spreading through networks at alarming rates. It’s weapon: exploiting a vulnerability, called MS08-067, in Windows 2000, XP, and Server 2003.
Conficker looks like legitimate traffic
Conficker.A, .B & .C (yes, it has versions) randomly creates domain names that are based on the system clocks of popular web sites such as google.com, yahoo.com, etc., so the HTTP traffic looks legitimate. At first, I thought we should block all the domains, but that is not a simple task. As of April 8th, Conficker.E was found not to be using randomly created domains, but deletes itself on May 3rd, 2009; unlike Conficker.C. It constantly changes its own behavior!
On April 7th researches found a variant of Conficker that initiates communication via a peer-to-peer (P2P) connection. A TCP connection is then used to download the file. Irregular UDP communications also take place.
What is Cisco’s position?
Learn more about Cisco’s position on Conficker. They encourage customers to purchase their Home Network Defender product and as a result, you “should be” protected. Here is some additional great information on Conficker from Cisco.
Track Conficker with Cisco NetFlow?
It isn’t that easy. Remember, Conficker looks like legitimate traffic. Network Behavior Analysis solutions can’t confidently detect Conficker either. We are looking into a solution that watches Conficker behaviors. Our Internet Threats Monitor has proven to be very effective at getting updates out to all our customers within just a few minutes. We could do the same as Conficker mutates and we learn its new behavior. For now, here are a few things to be aware of:
- Make sure you know your company’s legitimate applications VERY WELL.
- Make sure you have defined the known applications within Scrutinizer.
- Put in the time to mark legitimate traffic within the Top Applications gadget of Flow Analytics.
- Watch your DNS logs for hosts failing to resolve odd host names. Maybe script something that looks for excessive DNS lookup failures within a time frame, etc. I’m still looking into this.
- Participate in Systrax and get involved.
Are you infected?
Take the Conficker test right now. If all 6 images show up you are in good shape.