Proactive IT Security
 

Norman warns about the worm W32/Conficker - it is still a threat

Press release

Oslo, Norway, 12 March 2009 – The W32/Conficker is a network-propagating worm family which has infected millions of computers worldwide since first detected in the fall 2008. The worm is difficult to recognize, as it does not display any messages or warnings when it has infected a computer.

There are several variants, and one of the worm’s “features” is its capability to spread to other machines via a vulnerability in the Windows Server Service which allows remote code execution. A patch for this was released by Microsoft in October 2008. This patch will prevent the worm to further propagate. The worm also has other spreading mechanisms implemented, like proagation over Windows shares and through infected USB sticks.

A new “version” W32/Conficker.C is emerging fast. This version was first discovered in February 2009, and has a number of “improvements” implemented, evading countermeasures.

Examples of some of the new functionality to W32/Conficker.C are:

  • An extensive “call home” functionality for connecting to a “Command and Control server” (a command center used to manage the installed worms) for updates and changed payload. More than 50 000 new URLs are generated each day. This is making the “URL blocking” approach for stopping the worm much more challenging.
  • It appears in many variants (polymorph). These variants are generated dynamically by applying polymorphic encryption and compressing algorithms.
  • The worm disables antivirus and antispyware functionality as well as security services and “forensic/system tools” like filemon, regmon, wireshark etc.

How does Norman detect and protect

  • New signatures for new variants of the worm are added “on the fly” to protect against new variants.
  • DNA Matching signature protection from several versions is included in Norman’s antivirus products.

This worm was first detected by Norman antivirus products November 27th 2008. Later variants have been continuously added.

To remove the worm and its malicious components completely, it is recommended to use Norman Malware Cleaner. Updates that fix the vulnerabilities are available from Windows automatic update mechanism for systems that support this. Alternatively, one may download updates from http://windowsupdate.microsoft.com.

Norman advices all affected users to download the security updates as soon as possible, to be protected from potential exploits.

Read more about W32/Conficker  


For further information, please contact:

Are Føllesdal Tjønn, CTO, +47 415 39 750
Audun Lødemel, VP Marketing and Business Development, +47 934 46 531