We are currently working on a new set of filters to provide additional coverage for the C variant of this malware. However, we have listed below a number of pre-existing filters that already provide coverage for Conficker.
Provides coverage against Confickers use of MS08-067 to infect nearby hosts. These filters should be enabled in Block + Notify:
- 5457: MS-RPC: Microsoft Server Service Buffer Overflow
- 6515: MS-RPC: Microsoft Server Service Buffer Overflow
- 6545: MS-RPC: Microsoft Server Service Buffer Overflow
- 6565: MS-RPC: Microsoft Server Service Buffer Overflow
Also, the following filters should also block the download of some variants. These filters are policy filters however, and they will block a small percentage of legitimate executable downloads. But the vast majority of executables which employ these special packers are malicious, so it may be a good idea to enable them:
- 3917: HTTP: Aspack Compressed Executable Download
- 4111: HTTP: UPX Compressed Binary Download
- 6069: HTTP: UPack Compressed Executable Download
Furthermore, the following filters can be enabled with a quarantine action set combined a large threshold of consecutive hits to help track down infected hosts on your network. In many cases it is not OK to put these filters into block however, so please be careful when enabling them.
- 1400 SMB: Windows Logon Failure
- 1660 SMB: Windows Logon Failure
- 6863 KERBEROS: Authentication Error (UDP)
- 6864 KERBEROS: Authentication Error (TCP)
- 2178 SMB: ADMIN$ Hidden Share Access
- 2796 SMB: Windows Repeated Logon Failure (Possible Brute Force)
We have a number of new filters in the works and should release
something on Monday or Tuesday at the latest. In the mean time if you
have any questions or concerns, please let us know by posting a comment
in the form below.
