Should I Be Concerned About the Conficker Worm?

March 31st, 2009 | Author: Debbie Mahler

I’ve been getting this question from family and friends as the buzz is around the Internet that this is going to be a big thing on April 1st.

The truth of the matter is, at last check, researchers had no idea what this thing was going to do. So I’m wondering why suddenly it’s a big thing? So, I did some more research on my own and supposedly, some people are saying it’s set to go off on April 1st but others have not mentioned it. So it makes one wonder if there’s too much hype.

According to Microsoft’s information posted:

What Happens on April 1, 2009?

Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the “peer-to-peer” updating channel in the latest version of Conficker.

(Source: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx)

That’s all it’s set to do, update. And I believe what people are panicking about is just what is the update going to tell it to do?

You know, it’s April Fool’s day. Maybe it’s going to shoot out a message that say’s “Psych! Had you going!” Or maybe, “Ballmer Sucks!” I’d pay to see that one!

I know I’m making light of the subject but the truth is that we don’t know what it’s going to do! It’s that simple! The fervor with which the rumors are spreading is ridiculous! It sounds like we’re at the eve of 2000 again.

If you’re paranoid and this new worm has you frightened, then educate yourself. Yes, a shameless advertisement for our courses. Take one! Learn! Otherwise you’re a victim to every pundit who writes for the news.

First of all, let’s get the concept of a worm straight. As my students know, a worm is not like an ordinary virus that requires a user to do something to activate it – like in opening an e-mail or something like that. A worm does not require human intervention, it moves perfectly well on its own.

Secondly, if you are running a reputable Antivirus software program the worm is being detected in the scans, so you should be fine.

When I say reputable, I’m not discounting the free antivirus programs. Avast and AVG have confirmed they are protecting you.

http://forum.avast.com/index.php?topic=41900.0
http://viruslab.blog.avg.com/2009/01/downadupconficker-worm.html

The other major manufacturers are reporting the same.

What bothers me the most in the reporting of this worm, is that thousands if not a million computers are infected with this worm. If that’s true, then are you telling me that hundreds of thousands of users are not using virus protection??? That scares me more than this worm does!

Okay, so if you’re running AV protection, you’re somewhat safe. But the real fact of the matter is, you need to protect yourself by getting Microsoft’s MS08-067 security update, and disabling Windows’ Autoplay and Autorun features. (Although I refuse to disable my autorun, autoplay features personally. And, I would like to think I’m relatively certain that I don’t have the worm. But I’ll do a double check to make sure.)

The patch is available here: http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

The reason they recommend to disable auto play and auto run features is because the worm might spread through file sharing and through removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog will show one additional option.

For example, here is my normal auto-play screen:

A Normal Autoplay Window

This is the one with the extra worm file on top of the normal windows explorer option:

(Photo Courtesy of Microsoft Corporation)

If you select the first option, the worm executes and can begin to spread itself to other computer.

Currently, this worm has infected thousands of computers – not the millions as previously thought.

Now, for my techie friends and advanced students: the worm signature has been found. Yes! That’s right! The signature has been found and reported on yesterday. And guess what tool you can use to find it? One from our advanced class! NMAP!

Because the signature runs on anonymously on the surface, you should be able to pick it up with NMAP. However, there is a proof of concept scanner available here if you’d like to test it out: http://iv.cs.uni-bonn.de/uploads/media/scs.zip

This PoC has been developed because of the help from Dan Kaminsky, our love/hate security guru! I say that tongue-in-cheek Dan! (SMILE)

Now, for the average person again: What are the signs that my PC has been hit? Microsoft’s advisory about Downadup, or Conficker lists several symptoms of infection, including these:

Account lockout policies are being tripped (because your password’s been hijacked, and changed, by the attacker).

Account lockout policies being tripped is a technical security explanation for the fact that you get locked out of your own resources. Whether they are your own computer, your router, and your programs. For the average user, it’s when you enter your password that you know is right, then an error message pops up claiming that you entered the wrong username and password and you’re sitting there saying, “WTF?”

Automatic Updates are disabled (because Conficker tries to keep the PC unpatched by turning off Windows Update’s automatic update, as well as Background Intelligent Transfer Service (BITS), the Windows component used by Windows Update to actually deliver the updates).

You can actually check to make sure that these are running by:

Right click over you’re My Computer icon and choose: Manage.
Navigate to: Services and Applications.
Click the plus sign to get to: Services.
Once you click on Services in the list, you should see the list of services in the right side of the screen. They are in alphabetical order.
Automatic Updates and Background Intelligent Transfer Service (BITS) should be set to automatic and started. BITS may be manual and not running but that’s okay as long as the Automatic Updates are running.
If you have your auto updates turned off, please use the link above to get your patch!

Various security-related Web sites cannot be accessed (because Conficker blocks access to a whole host of security companies’ sites in an effort to prevent antivirus software from being updated, which could result in the worm’s detection and eradication).

More technical information from Microsoft:
The following system changes may indicate the presence of this malware:

The lack of response from, or the termination of, the following services:
- Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
- Windows Update Auto Update Service (wuauserv)
- Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
- Windows Defender (WinDefend)
- Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
- Windows Error Reporting Service (wersvc)
- Users may not be able to run applications containing the following strings:
  autoruns
  avenger
  confick
  downad
  filemon
  gmer
  hotfix
  kb890
  kb958
  kido
  klwk
  mbsa.
  mrt.
  mrtstub
  ms08-06
  procexp
  procmon
  regmon
  scct_
  sysclean
  tcpview
  unlocker
  wireshark
- Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
  agnitum
  ahnlab
  anti-
  antivir
  arcabit
  avast
  avgate
  avira
  bothunter
  castlecops
  ccollomb
  centralcommand
  clamav
  comodo
  computerassociates
  conficker
  cpsecure
  cyber-ta
  defender
  downad
  drweb
  dslreports
  emsisoft
  esafe
  eset
  etrust
  ewido
  f-prot
  f-secure
  fortinet
  free-av
  freeav
  gdata
  grisoft
  hackerwatch
  hacksoft
  hauri
  ikarus
  jotti
  k7computing
  kaspersky
  kido
  malware
  mcafee
  microsoft
  mirage
  msftncsi
  msmvps
  mtc.sri
  networkassociates
  nod32
  norman
  norton
  onecare
  panda
  pctools
  prevx
  ptsecurity
  quickheal
  removal
  rising
  rootkit
  safety.live
  securecomputing
  secureworks
  sophos
  spamhaus
  spyware
  sunbelt
  symantec
  technet
  threat
  threatexpert
  trendmicro
  trojan
  virscan
  virus
  wilderssecurity
  windowsupdate
- Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
  avg.
  avp.
  bit9.
  ca.
  cert.
  gmer.
  kav.
  llnw.
  llnwd.
  msdn.
  msft.
  nai.
  sans.
  vet.