Tuesday, March 31, 2009

conficker worm

The "Conficker" worm is live within Australia, security vendors have confirmed, where it is April 1. At this point, however, it remains quiescent.

Security company Trend Micro has seen the Conficker or Downadup worm increase the number of DNS resolutions, as expected, said Paul Ferguson, the lead researcher for security intelligence, advanced threats research. At this point, however, the worm has taken no other action.

Conficker is expected to hit the United States on Wednesday, April 1. But it is already a day ahead across the international date line, where Conficker is waking up.

In recent days, the prevailing attitude toward Conficker has turned away from a threat that could wreak havoc upon the Internet, more toward an event that needs to be closely monitored, but not necessarily feared. In part, that's because a signature has been identified and a scanner developed. Security analysts have also developed a list of actions to take to mitigate the effects of Conficker and similar worms.

Conficker preys upon a vulnerability in Microsoft Windows that was patched in October, although the worm does take a number of actions to try and shut down antivirus programs and prevent them from updating. The Apple Macintosh OS X operating system is completely immune.

So far, however, Conficker has laid low. "We've seen some host resolution in our honeypot systems, they're doing that," Ferguson said. "But aside from doing the expected DNS resolution, we haven't really seen anything else."

A spokesman from Symantec also said that the company's researchers haven't noted any malicious activity.

On April 1, according to security researchers, Conficker is scheduled to determine the local time, about once every 24 hours, to determine if it is in fact April 1 or later. At that time, the worm begins to generate a list of 50,000 domains, of which it checks about 500 or so for what researchers assume to be a digitally signed payload. What that payload is or what it will order the Conficker machines to do is unknown.

"The most commonly accepted thinking is that this is nothing more than just an effort to build survivability into the system," Ferguson said.

So what is Conficker? At this point, no one knows. But more and more researchers seem to be thinking that the number of infected Conficker machines will turn out to be a botnet, that can be ordered to attack servers or networks owned by governments or enterprises.

"I think it's just the Storm guys trying to build a bullet-proof botnet," said Roger Thompson, the chief research officer of AVG Technologies, in an instant-message conversation. "I always thought it was a corp/gov/edu problem."

Protect Your Windows PC from the Conficker Worm

The Conficker worm has infected millions of Windows computers—and is set to be unleashed on April 1st, 2009. Here's what you need to know to keep yourself safe.

How Does It Spread?

The worm originally started spreading using a network attack against the file sharing services in Windows, but since it can automatically update itself, it adapted to spread through the autoplay feature on removable media like USB thumb drives, by adding a new option to open where you see "publisher not specified". This allows the worm to spread to systems already patched against the original vulnerability, so using anti-virus software is even more important, because once it's on your computer it can spread further.

Is My Computer Affected?

Most anti-virus software has already been able to detect and remove the Conficker worm for a while now, so you are probably not at risk as long as you keep up with your updates and have real-time scanning enabled.

To actually detect and remove the worm, you can use the freely available Microsoft Windows Malicious Software Removal Tool that can remove a large number of viruses—for a full guide, I've also written an article on how to scan and remove malicious viruses.

How Do I Stay Safe?

Staying safe from this, and many other viruses and worms, requires a combination of keeping your computer updated and using anti-virus software. Here's a couple of quick tips to follow:

  • Make sure your system is fully patched using Windows Update, and update MS08-067 has been applied.
  • Make sure your anti-virus is fully updated, enabled, and you've run a full scan.
  • Make sure you are using strong passwords (see our guide to choosing great passwords).
  • Disable the AutoPlay feature—which Conficker uses to infect systems.
  • Make sure your firewall is enabled when you are on untrusted networks.
  • Make sure your data is backed up—if you aren't sure what to use, see our five best Windows backup tools.

Keeping your system and your data safe is extremely important, so make sure to take some time out of your day to keep your system patched, updated, and virus-free. Hit the link for Microsoft's explanation of the situation, or check out my article on scanning and removing malicious viruses for the walk-through approach.
related stories:
April Fools Day
april fools pranks

1 comment:

Pat R said...

the Conficker worm seems to have failed to live up to it's apocalyptic reputation, but that's obviously a good thing

Post a Comment