What You Need to Know About Conficker and How to Avoid Being a Victim (Updated for April 1st)

April Fools' Day might be all fun and games for some, but if you manage to fall prey to the Conficker worm, it's no laughing matter. As reported earlier this month by our very own Mark Soper, the third version of Conficker (Conficker.c) is set to wreak havoc tomorrow, April 1st. Here's what you need to know. [via maximumpc]

What is Conficker?

Conficker is one of the nastiest computer worms in recent history to go on the warpath against Windows-based PCs. First surfacing in October, 2008, Conficker targets Windows 2000, XP, Vista, Server 2003, Server 2008, Server 2008 R2 Beta, and even Windows 7. To date, Conficker has infected over 9 million PCs, shut down French and British military assests, and prompted a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.

What Does it Do?

The first two versions of Conficker -- variants A and B -- exploit a vulnerability in the Server Service on Windows-based PCs to take advantage of an already-infected source computer. Once infected, the worm goes to work exploiting the network hole, cracking administrator passwords, prevents access to security websites and services for automatic updates, disables backup services, erases recently saved documents, and among other things, also leaves you vulnerable to other infected machines.

What Happens Tomorrow?

One of the scariest things about Conficker, including Conficker.c, is that its full potential isn't known. Come tomorrow, those infected might be prompted to buy fake sofware products, or it could start monitoring your keystrokes to lift sensitive information like banking passwords. Files could end up deleted, or it might transform your computer into a zombie PC while staying under the radar. Whatever it ends up doing, it won't be good, and you need to take proper precautions right now.

How to Tell if You're Already Infected

Once infected, Conficker seals up the hole it used to infiltrate your system preventing other malware from getting in. Because of this, it can be difficult for IT pros to tell which computers have been patched and which might have a fake Conficker patch. But according to the nonprofit Honeynet Project, Conficker.c's buggy code has made it somewhat easy to detect using a newly released proof-of-concept scanner.

"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Other telltale signs that you might be infected with Conficker is if you haven't received any automatic updates from Windows in March, if you're unable to update your antivirus program, or if your security software is running abnormally slow as of late. You can also try accessing major AV sites, as Conficker will attempt to block these.

The Department of Homeland Security (DHS) has released a computer worm detection tool, along with a bevy of other information, which can be found here.

How Can I Avoid Infection?

Drain your savings account, buy a Mac, and hang out at Starbucks all day long. Or to appease the Linux crowd, ditch Windows and dive into Ubuntu. But you don't need to learn a brand new OS or invest in an overpriced computer to avoid Conficker.

One way to avoid Conficker is to disable AutoRun. Details on how to properly do so can be found here. And as with all security-related threats, safe computing habits apply. Avoid websites you're not familiar with, ensure that Windows is fully patched, invest in a security program and download the latest updates, and never download from an unknown or shady source.

Holy S#*t, I'm Infected!

We'll assume here you're talking about your PC (if not, stop scratching it and consult a doctor). There are a number of Conficker removal tools available, such as those found here, here, and here. If going this route, it's a good idea to download the tool(s) from a clean PC rather than your infected one. Note that Conficker also blocks tools with 'Conficker' in the name, so be prepared to rename the file(s) if necessary.

Another option is to create a bootable CD/DVD or USB thumb drive and outfit it with security programs. By doing so, you'll bypass Windows entirely and have a clean slate from which to work from. Just be sure to create bootable media from a clean PC. Also check your security vendor's website for information on creating a bootable rescue disk.

Finally, to err on the extreme side of caution, you can start fresh with a reinstallation of Windows. Whether or not you resort to this, it's a good idea to backup any important data -- work documents, family photos, groovy music -- right away.

**April 1, 2009 Update**

We won't fault anyone who, after reading our Conficker coverage, when and constructed an aluminum foil deflector beanie (see here for a great how-to), and you might even choose to still wear it. But we do encourage taking a collective sigh of relief with us. It's now April 1st, and Conficker.c doesn't look like its going to cause the kind of mass damage that made the worm famous. Or at least it hasn't happened yet.

According to early reports, Conficker.c has caused only a smatttering of security breaches across the globe, most of which have occured in Asia. It's believed that somewhere between 1 million and 2 million computers are actively infected with the worm, significantly less than the 9 million it claimed in January. And while Asia has been bearing the brunt of infections, the infection rate in North America sits at only 5.8 percent, according to IBM ISS Managed Security Services.

I Knew Nothing Much Would Happen!

We envy your 8-ball, and while it's entirely possible that nothing much more will happen, there's still a chance that Conficker.c could wreak more havoc before all is said and done. Some security experts believe it will take days before we truly know what Conficker.c is up to, noting that the worm has increased the number of DNS resolutions, expanding its list of domains and perhaps waiting for further instructions. And yet others are decidely less worried.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaing tools for Conficker-infected computers."

Sum it Up for Me

Put simply, Conficker.c has yet to do any widespread damage, and it might never cause any real harm. But it's also shown some activity, which could indicate more to come. Continue practicing safe computing, perhaps erring on the side of caution for the next few days, and it really shouldn't matter one way or the other.

Did you like this post? Leave your comments below!
Found this Post interesting? Receive new posts via RSS (What is RSS?) or Subscribe to CR by Email

More Post From The Web