Manas Kumar, Thinking out Loud

my thoughts & visions for technology

Conficker – A Problem Made in China

with 2 comments

On April 1st, 2009 the world will see the most sophisticted Malware of all times. If you thought the Y2K was a bug, then this one should remind you of “Eight Legged Freaks”. This one is bad….really bad.

Beware of this new Malware.

Beware of this new Malware.

The conficker worm is believed to have originated in China and there is speculation amid developers that this is the same worm that breached the Pentagon firewalls some 9 months ago.

When last we checked, about a week ago, Conficker had already spread to 9 million PCs, with little sign of slowing. Now it has infected at least 10 million PCs and experts believe there may be up to 350 million vulnerable computers out there.

On Wednesday, Conficker will run an update where its latest version will be automatically downloaded to cause further damage. Here’s a quick list of things you need to know about conficker before it affects your computer.

Worm aliases: also known as Downadup and Kido

What havoc has it wreaked so far: So far this schizophrenic virus hasn’t caused any serious damage. Its primary effect has been to prevent people from installing Windows updates and anti-virus software that could potentially thwart the malware. What worries security experts, though, is Conficker’s ability to launch a second stage, downloading additional code that could hijack computers completely, steal personal information, or commit basic extortion — demanding money for fake anti-virus software claiming to remove the infection.

What are the symptoms: Since it is currently sitting dormant, possibly awaiting further instructions, Conficker is very difficult to detect without running an up-to-date virus and malware scanner. However, if your Internet connection is running abnormally slowly, if services such as Windows Defender is disabled, or if you are unable to access some security-related Web sites (like those for anti-virus programs), then you may be infected and should certainly follow the removal directions included below.
Who’s at risk: The overwhelming majority of systems infected with Conficker were infected through a vulnerability in the Windows RPC facilities. This vulnerability was patched in October. If you installed that patch before Conficker came out (late December ’08) then you were protected and still are. If you haven’t installed the update then it’s essential that you do so. Windows Vista is technically vulnerable in this way, but the exploit is almost impossible to execute on it. Conficker is basically an XP problem.

How does it spread: Conficker can also spread through network shares, including those that have weak passwords; the worm executes a “dictionary attack” in which a list of common passwords (think “password”, “asdf”, etc) are used to gain access to the share. So if you find new executables on such drives they may be infected. Treat them as you would a program that got e-mailed to you unsolicited, and we hope that means you’ll avoid it and report it to a network admin if you have one. A good anti-malware program will detect it at this stage.

Strengthen your passwords: It follows from this advice that you are also better off by using complex and unobvious passwords, especially those that use both numerals and letters and especially if they include punctuation.

Conficker is mobile: Conficker can also spread by putting itself on removable drives like USB drives. When it does so it sets the Autorun on those drives to run itself. So if you insert such a drive you could, at the least, get a standard Windows Autoplay menu offering Conficker among its options. Sometimes it will disguise itself as the Windows option for opening Windows Explorer for the inserted drive. Once again, a good anti-malware program will detect it at this stage.

Does getting infected mean you have to get a new computer entirely:No. There’s no need to buy a new computer, as most security programs offer ways to remove the worm. If you think you’re infected, download and run Microsoft’s Malicious Software Removal Tool, or follow the directions found here to manually remove the worm.

Free Conficker/Downadup Cleaning Tools:

If you use one of these tools to remove Conficker immediately install the MS08-067 patch afterwards.

Advertisements

Written by manaskumar

March 30, 2009 at 7:02 pm

2 Responses

Subscribe to comments with RSS.

  1. Thanks Manas

    Great information, clear and simple to understand. Fortunately we have Vista, so less to be concerned about 🙂

    Michael Major

    March 30, 2009 at 9:16 pm

  2. Hi,

    Good article. Sophos’ Conficker removal tool can detect and remove all variants of the worm/virus.

    As long as people run these tools it should stop any serious outbreak.

    James

    James

    March 31, 2009 at 2:51 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: