Conficker worm detected (Conficker_P2P_Detected)

About this signature or vulnerability

This event triggers when Conficker Peer-to-Peer client traffic is detected that is not a data transfer of some type. This event triggers on both UDP and TCP protocol sessions.<P>When the protocol is UDP, then the pam.conficker_p2p.report.interval is used to determine how often this event triggers. Furthermore, when the protocol is UDP, you must use the Conficker_P2P_Protection event to block UDP Conficker traffic.<P>When the protocol is TCP, this event triggers for every Conficker session detected that is not a data transfer of some type. To block TCP Conficker traffic, enable blocking on this event.

This event triggers when Conficker P2P client traffic is detected.

False positives

Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, Proventia Server for VMware: It is highly unlikely that this event will trigger a false positive.

False negatives

Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Server IPS for Linux technology, Proventia Server for VMware: If Conficker changes it's UDP encryption scheme, or changes the semantics of the payload, then this event will not trigger.

Default risk level

High risk vulnerability High

Sensors that have this signature

Proventia Network MFS: XPU 29.031, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2376, Proventia Server IPS for Microsoft Windows technology: 2.0.300.2376, Proventia Network IDS: XPU 29.031, Proventia-G 1.1 and earlier: XPU 29.031, Proventia Network IPS: XPU 29.031, Proventia Desktop: 2376, RealSecure Network: XPU 29.031, RealSecure Server Sensor: XPU 29.031, Proventia Server IPS for Linux technology: 29.031, Proventia Server for VMware: 1.0

Systems affected

Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2003 Server, Microsoft Windows Vista, Microsoft Windows: Server 2008, Microsoft Windows NT, Microsoft Windows: 2000 SP4

Type

Unauthorized Access Attempt

Vulnerability description

The Conficker worm is a network worm that targets network endpoints. Conficker builds a bot framework that might be used for spam or stealing confidential information from endpoints. Complete compromise may lead to exposure of confidential information, loss of productivity, and further network compromise.

This network worm spreads by one or more of the following mechanisms:

Exploiting the Windows Server Service Vulnerability (MS08-067)
Dropping a copy of itself into network and removable drives
Dropping a copy of itself in network shares with weak passwords

How to remove this vulnerability

Use an up-to-date antivirus application to determine if the target computer is host to the Conficker worm. If the application detects a backdoor, follow its instructions to disinfect and repair the computer.

References

IBM Internet Security Systems Protection Alert January 22, 2009
Conficker Worm
http://www.iss.net/threats/conficker.html

ISS X-Force
Conficker worm detected
http://www.iss.net/security_center/static/48995.php