Astaro Patterns: Controlling Conficker Worm

With the recent attention in the media to the Conficker Worm, many customers have general questions regarding this threat.

For the short version, Astaro installations with HTTP Virus protection via the Web Security package have been protected against the HTTP download distribution (such as variant C) of this worm since January. However, with this Worm’s ability to spread multiple ways, such as the TCP and UDP transfer of the payload, Virus scanning at the gateway should be bolstered by Intrusion Protection to offer a more complete security defense against Conficker. Read on for details as to how Astaro can aid you in fighting this worm!

New IPS Rules
Astaro Global Pattern Up2Date #9422 adds two new Intrusion Protection Rules, numbers 2000011 and 2000022 which are designed to identify and stop code execution of Conficker variants A and B respectively. If you have automatic pattern Up2Dates enabled (the default) this protection will be added automatically during the next few minutes. Otherwise please perform a manual pattern Up2Date if you are not using the automatic feature for patterns.

Ensure You Are Protected
To ensure you are protecting your network using these new patterns, in WebAdmin go to Network Security–>Intrusion Protection–>then the "Attack Patterns" Tab. From there, ensure the pattern group "Windows" under Operating System Specific Attacks is checked, and the action is set to "Drop".

Forensic Information via Logs
In the logging system for Intrusion Protection, if you would like to search for Conficker A/B attacks, simply search for the appropriate rule ID. A logfile entry will look like the below upon a pattern recognition: 1. A conficker.a shellcode with SID 2000011 Group 110 2. "A conficker.b shellcode" with SID 2000022 Group 110.

As always, if you have any questions about Astaro protecting you against Conficker, or any threats, let us know on our Online Forums or place a ticket with Astaro Support. Cheers, The Astaro Product Management Team

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s