In the last week or so there has been a resurgence in the Conficker worm (called W32/Confick by Sophos’s anti-virus products, and also known as Downadup) that we first saw in November. This is probably due to the malware authors adding some new propagation methods such as spreading via USB flash drives and Windows file-sharing.
These techniques make it hard to remove from a network, as a single computer unpatched against the Microsoft MS08-67 security vulnerability, is able to reinfect the whole network via file shares.
Obviously the best thing you can do – as we stressed back in November – is make sure that Microsoft’s patch is in place on every vulnerable computer on your network.
In addition, you should ensure that your anti-virus software is up-to-date and if you use Sophos inside your company ensure that our HIPS and Buffer Overflow Protection (BOPS) protection is enabled, as that can prevent the initial exploit that causes a network to become infected.
But what can you do if you can’t patch a computer with Microsoft’s patch for some reason?
Our advice is to block all incoming and outgoing traffic on port 445 from those computers to ensure that (a) they aren’t hit with exploits from the internet and (b) if they somehow are exploited, they aren’t able to infect the rest of the network via file shares.
Furthermore, if you have a group policy in place to lock out accounts after too many unsuccessful login attempts, the worm will probably cause many of these accounts to become locked out during the worm’s password-cracking attempts. This can obviously be annoying, but at the same time it is a good indicator that you may have an infected computer on the network.
And if you want to stop unpatched computers causing problems inside your organisation in future, you might want to consider adopting a network access control (NAC) solution. With NAC you can ensure that endpoints are meeting minimum standards such as running the latest patches – and if they’re not, fix them or quarantine them.
Further reading: Download a free Conficker removal tool.
* Image source: Jean et Melo’s Flickr photostream (Creative Commons 2.0)