Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Is Symantec Ready for Conficker (Downadup)? Yes!

Created: 31 Mar 2009 • 22 comments
khaley's picture
+14 14 Votes
Login to vote
Interest in the Conficker (or Downadup) is reaching a frenzied peak.  As media interest in this worm continues to rise, customers are asking if Symantec is ready for Conficker. The answer is a resounding yes.  Symantec customers are already protected (as long as they are running the latest AV and IPS definitions). This article provides a short overview of Conficker (Downadup) and the protection offered by Symantec products.
 
Background
Conficker first appeared in late 2008 as the first worm in the wild to leverage a newly reported vulnerability in Microsoft Windows’ Remote Procedure Call (RPC) service (MS08-067).  Symantec named the worm Downadup, but over time the popular name for this threat has become Conficker.  Symantec customers were quickly protected from the vulnerability with newly released IPS and AV signatures. 
 
In late November,  a new variant (.B) was detected which added a Swiss Army-like collection of new tricks in the hope of spreading the threat far and wide and infection rates began to pick up and grow again in non-Symantec customers. Symantec Security Response has been monitoring the evolution and growth of the threat using its extensive honey pot network.  As of our most recent statistics, there are roughly 1.75 million Downadup infections worldwide.
 
Most recently (in early March) Symantec was the first company to detect a significant new variant of the threat (.C) which was silently downloaded to infected machines. The (.C) update increased the robustness of existing infections and made them harder to detect and remove. The new version of the threat includes new logic to protect itself further from detection by security software however this should not affect Symantec software because we already block the threat before it ever has a chance to run.
 
The following table summarizes the different flavors of Downadup/ Conficker:
 
 
W32.Downadup
W32.Downadup.B
Downadup.C
Propagation Method
• MS08-067 Exploitation
• MS08-067 Exploitation
• File Share brute forcing
• Removable Media Infection
• Removed
Command & Control
• HTTP
• HTTP
• Primitive P2P
• Improved HTTP
• Robust P2P
Defense Techniques
• None
• Kills some DNS lookups
• Kills AutoUpdate
• HTTP Code Signing
• P2P Code Signing
• Kills some DNS lookups
• Kills AutoUpdate
• Kills Security Software
• Advanced Anti-Analysis
• P2P & HTTP Code Signing
 
What does Conficker do?
No one yet knows the full purpose of Conficker. To date, infected machines appear to be dormant members of a new bot network largely awaiting further instructions.
 
 
Am I protected?
Symantec AntiVirus products protect customers from this threat using the following definitions:
 
Symantec Intrusion Protection System (IPS) protects customers from this threat using the following signatures:
 
 
Should anyone get infected (e.g. if they are not running Symantec products) Symantec has published a fix tool which can be used to remove the malware from infected machines. That tool can be found here.
 
So what happens next and why is everyone talking about April 1st?
Security Technology and Response engineers have discovered that the next phase in the Conficker story is expected on April 1st.
 
The latest version (.C) of threat has a more complex mechanism for attempting to update itself over the Internet. With previous versions of the Downadup, each infected computer would attempt to contact 250 new websites every day for possible further “attack instructions”. Machines infected with the new version will check 500 random websites per day out of a total of 50,000 possible sites (each infected computer will check its own distinct set of 500 sites). This new version of the threat will not begin to contact these websites until April 1, 2009. On that date we expect a new set of instructions to likely be sent to infected machines which will no doubt change the behavior yet again as the cat and mouse game continues. As before, we continue to monitor the active infections in our honey pot network. The stakes are high but we believe that our customers are fully protected as long as they have our latest AV and IPS signatures deployed on their systems. 
 
More Information
1)      Enterprise customers can find more details here.
 
2)      Consumer / Norton customers can find more details here.
 
3)      The Symantec removal tool can be found here. A link to this has been published in the latest US-CERT advisory here.
 
4)      Watch CBS correspondent Leslie Stahl talk to Steve Trilling, Symantec VP Security Technology & Response, on 60 Minutes about the impact of the Conficker here.
 
5)      The Downadup Codex - A comprehensive guide to the threat’s mechanics.  This paper provides a detailed analysis of the threat.

Comments 22 CommentsJump to latest comment

Hear4U's picture

As you may know, Symantec discussed this last week on the CBS show "60 Minutes." With the spike in online chatter and search we've seen on our site, we wanted to provide some additional information regarding the Conficker virus.   Let us know what you think - the "big day" is April 1...

check out the community at www.infoblox.com/community

+7
Login to vote
Kirrin Jones's picture

Even though my SEP is up-to-date on all my workstations and servers, and I am confident that I am not infected, I'm still concerned as to what activities will be executed come tomorrow.

+5
Login to vote
doni's picture

Can someone confirm exactly which definitions include these fixes? "Latest" is relative. Are last week's defs good enough? Yesterday's? Thanks

+5
Login to vote
khaley's picture

Here's the three AV signatures for Downadup and date of release.

W32.Downadup  (Released: Nov 21, 2008)

W32.Downadup.B (Released: Feb 20, 2009)
W32.Downadup.C  (Released: Mar 6, 2009)

+10
Login to vote
doni's picture

Ah, didn't realize the links in the article had the dates in them. Sorry about that. So defs after 3/6 should be safe from all three variants. Good to know, thanks!

+3
Login to vote
khaley's picture

I can't predict the future, but the most likely scenario is that no major incident happens tomorrow.  Infected machines are updated to a more efficient communication method on the 1st.  But that doesn't mean whoever is behind Conficker will actually begin using those machines.

Tomorrow would not be a great day for the bad guys to try something.  Symantec, other security organization, law enforcement, the press and a whole lot of other people are going to be watching them pretty closely tomorrow. If something happens we'll know right away.  And we'll take whatever steps needed to keep people protected.

+5
Login to vote
B_Carlin's picture

In many parts of the world it is already April 1st...I don't believe this is just central to your specific time zone.

Cheers-
Bill

+3
Login to vote
khaley's picture

Any possible updates to W32.Downadup.C will only start to take place once it is the 1st of April 2009 in the GMT time zone. So we have a little more time before we find out what happens.

+4
Login to vote
Sandeep Cheema's picture

Just as an update, It's 03:04 a.m. in the GMT right now and lot of our servers have the local time past that. No unusual activity noticed at the Antivirus \ Firewall Level(Perimeter).
 

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

+1
Login to vote
Sadis's picture

My system was infected by w32.downadup.B starting last week. This worm spreads from pc without SEP (Windows 98). How can I handle this problem? My system using win 98, win XP & win 2000, win XP & win 2000 protected by SEP. 

+1
Login to vote
justscott's picture

I have seen absolutely nothing on the corporate front, however I did have someone say that their home machine was infected...I passed him along the removal tool.

I run SEP 11 MR4 in the office, and I'm not sure if he even had antivirus at home.   But since I have not come across the worm, I am unable to test removal, but I assume just running the tool exe removes everything?

+3
Login to vote
khaley's picture

Sorry to hear about your infection.  There is a good summary of Downadup in the KB article at this link:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648

But more importantly, it has a link to the Symantec fixtool. That should help you get rid of the infection. If the worm is blocking access to our web site, there is a simple solution to turn off that 'feature" of the worm documented there too.

Good luck.

+3
Login to vote
Sandeep Cheema's picture

Okay, we had some servers that had been infected with the conficker. On 1st April we noticed that there were too many threats that were being detected but not cleaned(Failed). So, We suspect that conficker is acting as a downloader for other threats now but can this just be the cover fire?

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

+3
Login to vote
Hear4U's picture

What are others experiencing?  Keep us informed!

check out the community at www.infoblox.com/community

+1
Login to vote
brav's picture

Interesting update article on the register.

http://www.theregister.co.uk/2009/04/03/conficker_...

m00

+3
Login to vote
riva11's picture

No infections detected, in our sites all servers , desktops and laptop patch deployment worked well and the MS08-067 patch was on these systems within few day after Microsoft realease. Also Symantec virus defs were correctly updated. These two differents protections worked and the 1st April can considered closed with success.

+4
Login to vote
Hear4U's picture

We'll post information in the blog section as new developments are available.  Keep the comments coming, we appreciate them and are forwarding to folks internally as appropriate.

Eric

check out the community at www.infoblox.com/community

+4
Login to vote
Sandeep Cheema's picture

The threats that were being downloaded has been stopped and it's all happened in a very well synchronized way. We are just confused as what's happening. There were instances of conficker that were being detected, On some server's they were deleted, on other's failed. We don't see any other reason for the maker's of conficker to download the threat and infect the system unless they want to distract the attention with the real purpose being something else as everyone was prepared in a way for D-Day. We are into the process of examining the system state after 01st april though there arent any more threats being detected. We are also awaiting a report by Symantec for the global effects specifically for the conficker - 01st April and beyond. That is very important for us.  

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

+2
Login to vote
mb773's picture

 1st April with Conficker has gone away , but I wonder if there is some other attack scheduled for next months ?

+6
Login to vote
riva11's picture

I read on TrendLabs article DOWNAD/Conficker Watch: New Variant in The Mix? a new variant called WORM_DOWNAD.E.
Any Symantec news about it?

+5
Login to vote
Ram Champion's picture

Such proactive alerts will help business to minimize business risks, since most of them were not affected with conflicker, nice posts posted from forum members.

+2
Login to vote
Sandeep Cheema's picture

Yeah, Symantec has defs for the "E" variant as well.
http://www.symantec.com/security_response/writeup.jsp?docid=2009-040823-4919-99&tabid=1

Most of the vendors had them by 09th April
http://www.virustotal.com/analisis/720ed51914637344b03e2f702c722170

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

+2
Login to vote