HighProventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This event triggers when Conficker Peer-to-Peer client traffic is detected that is not a data transfer of some type. This event triggers on both UDP and TCP protocol sessions.
When the protocol is UDP, then the pam.conficker_p2p.report.interval is used to determine how often this event triggers. Furthermore, when the protocol is UDP, you must use the Conficker_P2P_Protection event to block UDP Conficker traffic.
When the protocol is TCP, this event triggers for every Conficker session detected that is not a data transfer of some type. To block TCP Conficker traffic, enable blocking on this event.
For more information, see: http://www.iss.net/threats/conficker.html
This event triggers when Conficker P2P client traffic is detected.
This event triggers when Conficker Peer-to-Peer client traffic is detected that is not a data transfer of some type. This event triggers on both UDP and TCP protocol sessions.<P>When the protocol is UDP, then the pam.conficker_p2p.report.interval is used to determine how often this event triggers. Furthermore, when the protocol is UDP, you must use the Conficker_P2P_Protection event to block UDP Conficker traffic.<P>When the protocol is TCP, this event triggers for every Conficker session detected that is not a data transfer of some type. To block TCP Conficker traffic, enable blocking on this event.
Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: It is highly unlikely that this event will trigger a false positive.
Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: If Conficker changes it's UDP encryption scheme, or changes the semantics of the payload, then this event will not trigger.
High
Proventia Desktop: 2376, Proventia Network IPS: XPU 29.031, RealSecure Network: XPU 29.031, RealSecure Server Sensor: XPU 29.031, Proventia Network MFS: XPU 29.031, Proventia Network IDS: XPU 29.031, Proventia-G 1.1 and earlier: XPU 29.031, IBM Security Server Protection for Windows: 1.0.914.2376, IBM Security Server Protection for Windows: 2.0.300.2376, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 29.031, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Me, Microsoft Windows XP, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server, Microsoft Windows Vista, Microsoft Windows NT, Microsoft Windows Server 2008
Unauthorized Access Attempt
The Conficker worm is a network worm that targets network endpoints. Conficker builds a bot framework that might be used for spam or stealing confidential information from endpoints. Complete compromise may lead to exposure of confidential information, loss of productivity, and further network compromise.
This network worm spreads by one or more of the following mechanisms:
Use an up-to-date antivirus application to determine if the target computer is host to the Conficker worm. If the application detects a backdoor, follow its instructions to disinfect and repair the computer.
IBM Internet Security Systems Protection Alert January 22, 2009
Conficker Worm
http://www.iss.net/threats/conficker.html
ISS X-Force
Conficker worm detected
http://www.iss.net/security_center/static/48995.php