Conficker/Downadup Worm UPDATE

There are still concerns amongst the INFOSEC community about the ongoing Conficker/Downadup worm problem.

The Conficker/Downadup worm which attempts to exploit a previously patched stack buffer overflow vulnerability in Microsoft Windows Server Service (MS08-067).

A new variant of this worm, referred to as Conficker B++. In addition to using the same methods as Conficker.B to propagate itself, the B++ variant implements a new backdoor with “auto-update” functionality. This functionality allows machines compromised by Conficker B++ to have additional malicious binaries installed on them from remote systems without relying on the previous variants’ command and control (C2) network. More specifically, hosts infected with the B++ variant may be updated with new functions and directions without referencing a named C2 node produced by the domain name generation algorithm. This appears to be an attempt by the operators of the Conficker network to evade the detection and blocking techniques developed by multiple parties in the security community in response to the earlier variants’ behavior.

According to Microsoft, there is no indication that systems infected with previous variants of Conficker can automatically be re-infected with the B++ variant.

Apply the patch according to MS08-067 as soon as possible, review antivirus software specific removal guidelines for the malware, install antivirus software and keep the virus signatures up to date, disable autorun to prevent attack from an infection via removable media.