We're seeing quite a large number of Conficker worm infections since the start of the New Year and specially since the Conficker.C variant appeared on December 31. It seems that the return to work after the Christmas break has kick-started Conficker again. Daniel Nyström, our Tech Support front man in Sweden, already noticed an increase in infections a few days ago.

As you may recall Conficker is a worm that spreads via networks and USB drives. It attempts to brute force usernames and passwords and takes advantage of Server Service vulnerability in Windows which allows for remote code execution. The worm also auto-updates itself every day from a long list of URLs so it looks like its preparing for a larger attack.

Checking again the SANS activity by port it's obvious this is something you need to worry about:

As posted about a month and a half ago, TruPrevent prevents Conficker worm network infections proactively thanks to a new Policy Rule we pushed out to all our retail products. In addition we've added signature detection for all Conficker variants. I'll post details on manually creating and pushing out TruPrevent Policy Rules on corporate networks as soon as possible.

As a curiosity I was travelling the other day and while connected to the WiFi network of a German airport I noticed the following Conficker worm variant trying to brute force its way into my machine:



The Conficker worm means business so be careful out there. Some preventive steps you should be following if you haven't done so already:

  • If you're responsible for a network, scan for vulnerable machines (using Baseline Analyzer, Nessus, etc.).
  • Patch your servers and workstations by visiting Microsoft Security Bulletin MS08-067.
  • Disinfect infected machines using Malware Radar on networks or ActiveScan for stand-alone PCs.
  • Turn off AutoRun feature for USB drives on your machines (and ask your Microsoft representative for a global solution to AutoRun).
  • Make sure your antivirus and security solution is up-to-date on the latest version and signature database.