Conficker is the newest example of malware, or malicious software which gives a cybercriminal control over an infected computer. The criminal can steal information stored on the computer or make it do things like send spam emails. In some cases, criminals amass millions of computers to command in a system called a “botnet”. Conficker is estimated to be actively infecting three (3) million or more PC’s worldwide. There have been numerous worms in the past 10 years that have been similar to this worm – among them Sasser, Blaster, Melissa, etc. – but none so creative, sophisticated, or elusive.
The Conficker worm first appeared in November, 2008, and remotely attacks Windows system running Windows 2000 or higher, including the beta version of the new Windows 7. At least three new variants have been discovered which allow transmission through USB drives and peer-to-peer networks.
Conficker periodically seeks new instructions from its master, and the first day of April is the next scheduled update. At that point it could receive instructions to steal information or try to launch some sort of Internet crippling attack. But there’s no evidence that anything like that will happen. Infected systems will run slowly, and any infected systems that are part of corporate networks will cause the corporate network to run slowly and internet access speeds will be extremely slow – if you can get to the Internet at all. This means that you’ll not only have slow web access, email in and out of your business could be delayed or lost.
The spread of the Conficker worm is not likely to be destructive – it probably won’t destroy your hard drive or operating systems like other worms in the past – because if the true purpose is to create a “botnet” for distribution of spam, malicious code, or to create Skynet, the systems that are part of the botnet will need to be available. However, private data could be exposed.
Organizations which have fully deployed the latest Microsoft security patches would be less likely to be infected. However, home computers may be more likely to be infected, and one way the worm is spread is through removable media such as USB drives or thumb drives. People who work on a file at home (where they may not have the latest security patches), then copy it onto a USB drive, take it to work, and copy it up to their network computer, might be increasing their vulnerability.
Steps for protection:
- Firewall – current and up-to-date patches applied from the manufacturer (if a home PC running Windows Vista Home, the firewall is in the operating system)
- Operating system update – check Windows Update site – http://update.microsoft.com and it will run a program to determine if you need an update or if you are current
- Anti-virus software – current and up-to-date patches applied from the manufacturer
Autorun – when you put in a CD or USB drive and it pops up a window asking how you want to read the media, the option “Open Folder to View Files – Publisher not Specified” has been added by the worm. Choosing this option will cause the worm to execute.
Another way to see if you have it is to try to go to security sites like Windows Update or Norton, Mcafee, or Symantec.com . If you are infected you will not be able to get to these sites, because the worm has been programmed to prevent you from downloading tools to remove it.
- Be certain you are up to date on Microsoft security patches, particularly MS08-067. To confirm, go to Add/Remove Programs or Program and Features from the Control Panel, view installed updates, and verify that Security Update for Microsoft Windows (KB958644) is installed. If not, go to www.microsoft.com to download that patch. Conficker information is available from the front page of the Microsoft website.
- Be running an absolutely current version of your anti-virus software.
- Once you have done a complete virus scan, backup your system.
- Disable auto-run from external media.
- Use strong passwords – Oakwood recommends 8 characters or more and a mix of upper case, lower case, numbers, and symbols. Note that the word “password” with substitutions is not a strong password – like P@ssw0rd – not strong – too common
- Update your operating system to current levels – again, check http://update.microsoft.com
If you are on a corporate network, immediately unplug your network cable, disable your wireless connection to the network, and call for IT support.
The Malicious Software Removal tool will have to be run – and it will need to be run from a non-infected computer.
For more information, please see the links below.