After providing this wordy response to my friend about the conficker worm and defenses for it, he asked another simple question; “So if we patch within weeks of MS release we’re good?” To which I provided this less-than-simple answer; not completely.

The patch stops the primary propagation method and AV stops the payload. (This probably answers your question and the rest is me blathering on to show just how smart I am)

Think of a worm as an ICBM. Like an ICBM, the worm has several parts;

1. A rocket to deliver a warhead to the target. The rocket is the propagation method(s). Having this mechanism defines it as a worm (self-propagating)
2. The warhead is the reason of its existence, the doer of deeds. The warhead represents the payload. The warhead is lethal with or without the rocket. The warhead can be anything; a keystroke logger, often a downloader, or even a patch.

The conficker/downadup payload can be delivered in one of two ways:

1. When the worm compromises a vulnerable server service and then has the service download the payload
2. Through normal file sharing the payload can be dropped where it awaits execution

If you’ve already applied MS08-067 you are safe from being automatically compromised by the worm. You are still vulnerable to the worm’s payload being dropped on the server through removable or mapped drives. At that point your server would become a ‘carrier’ but not infected unless that payload gets executed on the server in the absence of effective AV. As a carrier (without having executed the payload), the server wouldn’t actively compromise other hosts. Other hosts would have to manually download and execute the payload, at which point it would infect that host, barring AV on that host.

For example, lets say my laptop is compromised and I have write access to a share on your patched server. My host can deliver the payload to that share. If AV on that server doesn’t catch the malicious file, it will sit dormant and wait. It can’t do anything to the server automatically — someone must launch it on the server through RDP or console access. However, if you come along with your laptop patched or otherwise and download the malicious file and execute it, if your AV software doesn’t catch the payload as malicious, your laptop will be compromised and then will actively attempt to propagate the worm, even if it is patched.

A patched machine can still be compromised because MS08-067 only addresses conficker’s primary and automated method of propagation; malicious RPC traffic sent to the server service. The patch does not address any payload the worm may deliver. That falls under the purview of AV. Further, the patch doesn’t address an already-compromised machines ability to continue to scan for other hosts to infect. This is because the payload does the scanning, not the compromised server service. Even a patched machine that was previously compromised can continue to spew death across your network until the payload is removed.

There is a lot of great information about worms in Jose Nazario’s book “Defense and Detection Strategies Against Internet Worms”. I think I’ll dust off my copy and review it in honor of conficker.

For more information about this topic

• Conficker FUD?
• When Blackberries Become Carriers
• Conficker Hits French MoD
• Network worms are still effective
• Surviving Big Yellow
• Worms are an effective weapon in cyber warfare
• On Cyber War
• The Future of AV?
• AV must innovate or die
• The conquerer of AV?