Downadup (Conficker) Worm:
When Patching Takes Too Long
 |
 |
 |
 |
Update
Check Point protects its customers against all known variants of this worm, including variant C, expected to activate on April 1st. This protection is available on the network level through Check Point’s SmartDefense updates and the IPS Blade. Check Point strongly recommends that customers who have not yet applied the Microsoft patch activate this protection.
Overview
The Downadup worm (a.k.a. 'Conficker' or ‘Net-worm.Win32.Kido’) exploits the MS08-067 vulnerability in the Windows Server Service and propagates itself quickly over a network. Although a patch from Microsoft has existed for this vulnerability since October, delays in applying the patch allowed millions of computers to become infected and left millions more vulnerable. Companies that rely on patches alone to protect their networks are finding that, in the case of this worm, their patching process may fail to prevent large-scale infection of network machines.
Infection Impact
Currently the worm does not harm infected computers, but it has the capacity to cause considerable damage at a later time. Once infected, the affected computer generates hundreds of random web addresses and attempts to contact them daily in order download an executable. Hackers register one of these addresses and insert a malicious executable, which is then run on all infected computers. This means that the worm is capable of delivering almost any payload. Successful exploitation would cause a denial of service and may allow execution of arbitrary code on a vulnerable system.
Protection and Recommendations
SmartDefense Services provided a protection, which prevents the network propagation of this worm, when the original Microsoft vulnerability (MS08-067) was announced in October. Since many companies are unable to patch quickly or completely enough to resist this type of worm, Check Point recommends that companies augment their patching process with intrusion prevention systems. These can be deployed both at the network perimeter and at internal locations, separating the company's network into segments. Depending on their deployment needs, customers may choose a combination of integrated IPS (Check Point SmartDefense and the new Check Point IPS Software Blade) and dedicated IPS (Check Point IPS-1) for this purpose.