March 17, 2009

Will the Internet survive Conficker?

The Conficker worm - also known as Downandup, Kido, and Downup - has become a serious threat on the Internet in the last several months. Microsoft is offering a reward of $250,000 if you find the creator, and Internet security professionals have been scrambling to keep up. Conficker.A was pretty bad, then Conficker.B infected over 1 million computers in 24 hours. Now there is a third, even more robust version, called Conficker.C, which does not focus as much on spreading itself, but significantly increases the worm's hold on an infected system.
Here is what the Internet security community knows about what Conficker does and how it interacts:
  • Conficker supposedly does not spread through downloading or email, but installs itself when you plug in a USB drive or insert a CD, and it can even hack your whole network using brute force password cracking (especially if you have weak passwords). So if one system on your network is missing security updates, all networked computers could be compromised.

  • Conficker disables system services and antivirus, and adds services to listen for traffic.

  • Conficker pings common sites to test for Internet connectivity, gets the date from search engines, and gets your IP address using online tools.

  • Conficker can lockout accounts, change user settings, and send user information out over the Internet.

  • Conficker.B and Conficker.C can also block access to Windows Updates, antivirus websites, and many removal tools

  • Conficker has the ability to download new code and update itself.
Conficker's signature move is downloading updated code - not the first worm to do this, sure, but certainly the most effective so far. The worm randomly connects to one of several domains and tries to receive instructions. Conficker.B could connect to 32 domains out of a list of 500. Now we have Conficker.C that can connect to 500 random domains out of a list of millions. Conficker's download dates that I've seen referenced are March 8, March 13, March 18, and March 31. Supposedly, Conficker.C will initiate another attack sequence on April 1 - please ensure you are patched by that date.

Conficker Cleaning and Removal

Download the Microsoft patch at and then do the steps here

Bitdefender has released a removal tool that can remove Conficker versions Conficker.A and Conficker.B, but may not remove Conficker.C. Download and run BitDefender's removal tool to check for and try to remove Conficker.

Symptoms of a machine or network infected with Conficker*:
*Please note you may be infected even if no symptoms appear.
  • 1. You are unable to install Windows Updates

  • 2. You are unable to view security websites or download antivirus and anti-malware products

  • 3. It takes a long time to log in to your computer.

  • 4. You see strange popups or programs running.

  • 5. Unusual entries in Task Manager, Services, Event Viewer, %Windir%\System32, or the registry

  • 6. Strange network traffic, especially relating to network logins by administrator accounts

Conficker may be a decoy?

In case the existence of this worm is not bad enough for sysadmins and IT professionals everywhere, some Internet security professionals think that this whole mess might just be a distraction for a much more serious attack. Until recently, most security professionals assumed that the end-game for Conficker was just another botnet - a network of computers under a hacker's control. However, “We think this is a wide-scale distraction to hide data breaches,” said Ryan Sherstobitoff, chief corporate evangelist for Panda Security. “It does not appear in the variants of Conficker that they are building a botnet, but that wouldn’t surprise us, either. This is an attack we have not seen in some time and is certainly a warning sign for something more to come.”

I agree that this is likely a distraction for a major Internet attack - think about the possibilities. It's April fool's day, they could even send out a link that says "This is a virus" to everyone's contact list and they would still get a bunch of clicks. Network admins would be slow to react to the flood of "server down" notices also. And your customers might not feel the need to let you know that your website now just displays Lolcats (and spreads malware).

Please get the word out about this problem - share this article (using ShareThis below), blog or write about this on your website, talk about it in forums, and tell your friends. Update Windows systems (or switch to Linux), update your Antivirus and anti-malware (you do have both, right?), use strong passwords, and read Internet security news sites regularly.

What do you think - will the Internet survive Conficker?

1 comment:

Please enter some legible and hopefully relevant text: