Qualys Blog

www.qualys.com
wkandek

Conficker Analysis with QualysGuard IDs (QIDs)

Here is a quick breakdown of cases that you might see when you run a QualysGuard scan against your targets:

  1. You have NOT patched MS08-067 and you do NOT have Conficker
    • we will post QID 90464
    • you need to patch as quickly as possible
  2. You have patched MS08-067 and you do NOT have Conficker
    • you are good
    • disable autorun.inf on all machines as this is the secondary vector for Conficker
      there is a QualysGuard Policy Compliance control for this – 1183
  3. You have patched MS08-067 and you have Conficker
    • this is possible, even common as of Conficker B the worm spreads through USB and Network shares through autorun.inf and the infection numbers have gone up quite a bit with the B variant showing that this strategy works. That is why our demo default policy in Policy Compliance recommends disabling autorun.inf on all drives (autorun.inf is very convenient – it is the feature that loads the installer when you insert a CD, but it is also great for Viruses…)
    • we will post QID 1227 because Conficker undoes the MS08-67 patch and puts its own in place (to be able to re-infect the machine through that channel if needed)
  4. You have NOT patched MS08-067 and you have Conficker
    • we will now post QID 1227
    • before yesterday we would:
      • not post anything in the unauthenticated case, as Conficker "patches" for all (but its) intents and purposes MS08-067 and our (and everybody else’s) remote detection is satisfied
      • post QID 1225, if you are running authenticated scans – note however that QID 1225 is an evolving detection, Conficker is extremely smart and does not want to be found, each new variant introduces different behavior and QID 1225 might have to be adapted to it.

Leave a Reply