So how does Ironport Appliance handle a Conficker virus ntwk

mgraci_ironport · ‎01-22-2009

So the Conficker virus rapidly spreads in Corporate environments that don't have the latest MS and AV patches. One of the tasks that the payload performs is to phone home to a preset list of sites to download more malware.

Question: How does the Ironport WS device handle this? Do the recent patterns automatically quarantine and alert on this specific incident based upon the traffic type and destination?

Based on Ironport's sales pitch, this is a perfect opportunity to show that IP WS device is special.

-MattG

john.phillips · ‎02-02-2009

I'm interested in this as well, it would be great to internally sell the product.

jowolfer · ‎02-03-2009

Hey guys,

I just wanted to let you know that you're not being ignored! I have involved the appropriate product management team to answer this question.

I can give you generic information about how the WSA prevents this 'type' of issue, but since you're specifically asking about Conficker, I'm having someone give you specifics about this out break.

Thank you for your patience!

smadrid_ironport · ‎02-23-2009

The threat landscape has changed dramatically over the last decade. It used to be that malware writers were looking for fame, not fortune. Unfortunately that is no longer the case. Malware writes are targeting users looking for personal information like, credit card number, password, bank account information – all for financial gain.

The Conficker worm is no exception. Over the last couple months the Conficker worm has exploded onto the scene. As of January 26, 2009, Conficker had infected more than 15 million computers, making it one of the most widespread infections in recent times.

The Conficker worm primarily spreads through a buffer overflow vulnerability in the Server Service on Windows computers. When executed on an infected computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. A patch for this vulnerability has been available for some time from Microsoft, and is the only guaranteed defense against Conficker.

Conficker is a network worm and the primary responsibility for blocking its spread within the network lies with IPS and HIPS (like Cisco CSA) products. That being said there is a large Web component involved in its propagation and operation. The S-Series Secure Web Gateway, running Web Reputation Filters and Layer 4 Traffic Monitor, has shown to be very effective in mitigating risk on this Web vector.

So how does it work? The Conficker worm requires a connection to a Web server, where it receives further orders to propagate, gathers personal information, and downloads and installs additional malware onto the victim's computer. Some variants of Conficker, will even create an HTTP sever, open random ports between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a copy of the worm.

IronPort’s Web Reputation Filters has successfully tracked and blocked connections to these rogue servers. In addition, the Layer 4 Traffic Monitor watches for and blocks ‘phone home’ traffic on all 65,535 ports, blocking outbound communications from infected computers where they look for propagation instructions.

The Cisco Threat Operations Center is actively monitoring this exploit to ensure the highest level of protection for our customers. However, the only way to guarantee 100% protection from this exploit is to install the Microsoft’s security patch and keeping your PC up to date.