Boom! April fools!?

03/26/2009 11:52

As the warm weather begins to set in, something besides April showers may be approaching. A malicious program called Conficker (a.k.a. Worm_DownAD.AD, Trojan.Win32.Pakes.lxf, W32.Downadup) has been propagating throughout the internet and making headlines. This malware (malicious software) has garnered so much attention because of it's level sophistication, it's install base, and it's unknown nature.

Conficker was first discovered in the wild (on the internet) back in October of 2008, and targets Windows based computers and servers. The latest variants of this malware are programmed to download an update in April 1st, 2009. Unfortunately, no one knows what this update is or what effect it will have on  infected computers or the internet in general. Conficker is employing some of the latest encryption techniques and is being actively adapted in response to network security measures against it.

What is it?

Conficker is technically a worm, not a virus. Just like it's biological counterpart, a computer worm is a self sufficient organism that can survive and propagate on it's own without relying on components installed on the infected computer. This worm uses a known, and patched, issue with Microsoft's Windows to install and spread itself.  This worm has multiple attack vectors (ways to spread), and a vulnerable computer (one that is not patched/updated and not behind a firewall) can have this worm installed without the user's knowledge. 

Once installed, Conficker does the following:

• Stops any Windows updates from working
• Disables Windows Defender
• Disables Windows error reporting
• Disables some anti-malware program updates
• Disables some troubleshooting programs
• Prevents access to popular anti-virus websites

How does it spread?

Conficker spreads to other computers on the network through a number of mechanisms. First and foremost, it attempts to directly install onto any vulnerable computers that are not patched/updated and are not behind a firewall. 

The worm also reprograms any removable media it can find, such as USB thumb drives or memory cards, to automatically run and install itself if the media is plugged into another computer. This is done by creating an "auto-run" file on the media, making the install run when the computer detects the media.

Finally, the worm tries to break the administrative passwords on network servers to infect file shares, also through the "auto-run" feature. 

What is being done?

The vulnerability that allows Conficker to spread has been patched by Microsoft. On October 23, 2008, Microsoft released Security Bulletin MS08-067 - Critical "Vulnerability in Server Service Could Allow Remote Code Execution (958644)". They also include a removal tool in their "Malicious Software Removal" update.

Also, most anti-malware software vendors (Trend Micro, Symantec, McAfee, etc.) have included detection and removal mechanisms in their software.

Finally, network security organizations are still trying to find a way to block the scheduled April 1st download. Unfortunately, the most recent updates to Conficker have defeated their efforts by including such a large number of potential download sites, that it would be impractical to block them all.

What to do...

1. Patch Windows. Make sure your computers are automatically receiving and installing Windows updates. To manually update your computer, visit https://windowsupdate.microsoft.com to download and install critical security updates, including the Malicious Software Removal tool.
2. Update your Anti-Malware software. One the latest definitions are installed, run a full scan of your computers, including any servers.
3. Make sure your administrative passwords/passphrases are strong. A strong password should be long, (at least 14 characters to make sure it's stored securely) and should contain mixed case, numbers, letters and special characters such as _*^ and spaces. Using song lyrics or quotes are a good way to make the password cryptographically complex, and yet still remember it.
4. If you have any questions, concerns or think you are infected, contact your IT admin immediately!

Technical information:

https://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
https://blog.trendmicro.com/the-mess-that-is-worm_downad/
https://vil.nai.com/vil/content/v_153464.htm
https://en.wikipedia.org/wiki/Conficker