Conficker Worm / Downadup Worm: New Variant By-Passes Some Countermeasures

From the Spy vs. Spy Department….

There is a new variant of Conficker / Downadup worm on the loose. It has new elements designed to circumvent some of the counter measures to the original attack.

To re-cap, Conficker-infected machines can contain key loggers, launch Denial of Service attacks and can become part of a botnet.  The worm can spread through USB devices and network shares. Latest reports are that millions computers are infected.

Conficker B++, uses new techniques to attack systems, giving its creators more flexibility with compromised systems.  Some admins have minimized the impact of Conficker by carefully controlling DNS and routing, to prevent the Conficker worm from contacting the mother ship.

The new variant appears to skip the need to contact a mother ship. You may read a detailed report of the new variant in this excellent SRI report.  Countermeasures like stronger network passwords, and USB control software are still effective means of mitigating  Conficker B++

Some have opined that it is sufficient to turn off auto-run on USB to stop the spread of the original Conficker. That tactic ignores that fact that there are reports that some variation of Conficker re-enable autorun. Others try to protect USB by disabling the ports through active directory group policy. That solution ignores the reality that an exception list starts to build for those that need access to certain USB ports.

The best solution I have found is to deploy third party software that has granular controls for all removable media ports; shadow copies the files that are moved, for audit purposes; and, that deploys as a group policy object, rather than through a separate control panel.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: