January 19, 2011

Conflicker/Downad Prevention

The Conficker/DOWNAD worm makes use of a domain generation algorithm (DGA) to download other malware onto infected systems. It prevents user access to antivirus-related sites and propagates via removable drives, network shares, and peer-to-peer (P2P) networks.It drops Autorun.inf in the available hard drives.


Symptoms:
The signs of a Conficker/DOWNAD infection include the following:
  • High port 445 traffic
  • Presence of randomly named entries for netsvcs in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost
  • Subsequent connection to various URLs
  • Existence of an AUTORUN.INF file on drives
  • Existence of a file named x in the system directory or C:
  • Existence of an unknown scheduled task at a particular time
How can users get rid of Conficker/DOWNAD system infections?

Since Conficker/DOWNAD variants can block access to certain antivirus-related sites, affected users can disable their systems’ Domain Name System (DNS) Client Service feature to prevent propagation and to rid their machines of the malware. To do this, users must open a command prompt and type net stop dnscache.
Users may also download, extract, and run the fixtool that we specifically created for this malware from this page. Finally, they should patch their systems with the latest Microsoft updates or at least download the specific patch that addresses the vulnerability that this malware exploits.

  • Immediately install security patches as soon as vendors release them.
  • Disable the Autorun feature on USB drives, particularly in WORM_DOWNAD.AD’s case.
  • Users have to use complex passwords on their workstations to prevent brute-force password attacks via scheduled tasks.
  • Limit user access to network shares.
To prevent system reinfection, it is extremely important for users to keep their patch levels updated. Anti-Virus products have to be updated to their latest definitions, as these block access to sites where Conficker/DOWNAD variants may be hosted with the help of the Smart Protection Network’s Web reputation technology. File reputation technology also prevents the download and execution of Conficker/DOWNAD variants on users’ systems. Check the file reputation of files that particularly are to be downloaded.

0 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More