A Confick of interest

Earlier this week we witnessed the release of a new propagation technique that exploits a recent Microsoft vulnerability in the Windows Server Service. W32/Confick-A uses this security loop-hole to propagate its malicious DLL across user networks, generally making a real nuisance of itself. However after talking to some of my colleagues in our Technical Support department it seems that some users have suffered more pain than they should have at the hands of this worm.

W32/Confick-A (also detected proactively using Behavioural Genotype technology as Mal/Conficker-A) will be prevented from spreading across the network by our buffer overflow detection technology which detects the worm’s attack on a running copy of the SVCHost.exe process and prevents execution of the exploit. Other logs received from users show that infection can be prevented at an even earlier stage by HIPS runtime suspicious behaviour detection. HIPS/FileMod-006 has been seen to detect the worm performing one of its first behaviours and terminating the malicious process before it even attempts to spread.

Of course such a level of protection can only be achieved with the correct software configuration, however, unfortunately it seems that some users are still using HIPS runtime behaviour detection and buffer overflow protection (BOPS) in the Alert Only setting. In this configuration the malware will be detected but not terminated which is a real shame because had SAV been allowed to take action against this worm using HIPS and BOPS, users would not have become infected and would not have had to make recourse to the advanced SAV cleanup IDE.

To close, this incident with W32/Confick-A is yet another reminder of the importance of keeping up to date with security patches. The patch for the vulnerability used by W32/Confick-A was released in October and SophosLabs issued our own advisory and risk assessment shortly afterwards.