April Conficker (March 30, 2009)

Conficker.C variant has been discovered on March 4, 2009.

This variant of the Conficker worm infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. It can also relay command instructions to other infected computers via built-in peer-to-peer communication. Conficker.C is installed by previous variants of Win32/Conficker.

Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). It may also spread via removable drives and weak administrator passwords.

This new version, however, does not attack new systems. It’s waiting until April 1, 2009. On that date, systems infected with Conficker.C will start trying to contact domains on the Internet for new instructions. Previous versions of Conficker did the same thing, but the domain generation algorithm has been changed in Conficker.C. The new algorithm generates a larger pool of possible domains than the original one. It will generate 50,000 domains names per day and pick random 500 from that set to connect to.

So, the only thing that will happen on April 1st is that already infected computers will start using the new algorithm to locate potential update servers.

SonicWALL UTM research team is monitoring the situation and releasing GAV signatures for Conficker variants as soon as they are discovered. SonicWALL Gateway AntiVirus provides protection against Conficker.C with the following GAV signatures:
* Conficker.C
* Conficker.C_2
* Conficker.C_3
* Conficker.C_4
* Conficker.C_5
* Conficker.C_6
* Conficker.C_7
* Conficker.C_8
* Conficker.gen (Worm)

In addition, the following IPS signatures are related to Conficker:

* 1160 SRVSVC NetPathCanonicalize BO Attempt 1 (MS08-067)
* 1161 SRVSVC NetPathCanonicalize BO Attempt 2 (MS08-067)
* 1174 SRVSVC NetPathCanonicalize BO Attempt 3 (MS08-067)
* 1178 SRVSVC NetPathCanonicalize BO Attempt 4 (MS08-067)
* 1186 SRVSVC NetPathCanonicalize BO Exploit 1 (MS08-067)
* 1190 SRVSVC NetPathCanonicalize BO Exploit 2 (MS08-067)
* 1226 SRVSVC NetPathCanonicalize BO Exploit 3 (MS08-067)
* 1250 SRVSVC NetPathCanonicalize BO Attempt 5 (MS08-067)
* 1257 SRVSVC NetPathCanonicalize BO Attempt 6 (MS08-067)
* 1261 SRVSVC NetPathCanonicalize BO Attempt 7 (MS08-067)
* 5450 Conficker Infected Machine Activity

There were 2 previous SonicAlerts related to this vulnerability:

• MS08-067 Server Service Buffer Overflow
• MS08-067 exploit in wild

SonicWALL UTM research team recommends to ensure that systems are patched with MS08-067, security software signatures are updated, and systems that are infected with any variant of Conficker are cleaned and network passwords are strong to prevent Conficker variants from spreading.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.