Quantcast

Don't have an account? Register Now! Forgot password?

Related Articles
Maximum IT
SEE MORE MAXIMUM IT
News

Conficker Worm's Infected Over 9 Million PCs - Is Your Work or Home PC One of Them?

Posted 01/21/09 at 05:22:17 PM  by Mark Edward Soper

comment Commentsprint Printemail EmailDeliciousDiggStumbleUponRedditFacebookSlashdot

Conficker spreads via networks, infected USB drives, and more

Remember Microsoft's rare out-of-band security update from last October, MS08-067? Microsoft warned us then that Windows XP, Windows Server 2003, and Windows 2000 SP4 were especially vulnerable to being attacked. Windows Update probably took care of patching your home computer. However, companies and individuals that were slow to patch their fleets of PCs with KB958644 could find their computers now infected by a nasty worm called Conficker, Downadup or Kido.

How big a deal is Conficker/Downadup? According to F-Secure, the number of infected machines went from 2.4 million to 8.9 million in just four days as of last Friday.  Panda Security now estimates that as many as one in every 16 PCs may be infected. F-Secure wraps up its analysis by saying "The situation with Downadup is not getting better. It's getting worse." Panda compares the outbreak with the legendary Kournikova (2001) and Blaster (2003) outbreaks.

The Conficker/Downadup family of worms is a nasty bunch for several reasons:

According to F-Secure, recent variants of Conficker attach themselves to several processes, disable Windows security services such as Windows Defender, Windows Error Reporting Services, and others, and create a registry entry for faster propagation across a network.

As Symantec points out, the W32.Downadup.B variant not only exploit the original Windows Server Service RPC Handling Remote Code variation, but can also spread through infected USB flash memory drives and by cracking weak network passwords. These latter methods are widely used by Conficker/Downadup to attack corporate networks.

Conficker/Downadup.B also infects mapped drives with autorun.inf files that spread the worm and blocks DNS requests to security sites to prevent downloading of updated antivirus and antimalware programs.

Perhaps the scariest facts about Conficker, though, are these:

  • Conficker generates hundreds of domain names daily, but will only use a single one of the domains listed for downloading malicious files, making it very difficult to trace the actual infection sites.
  • Conficker's payload - what it was designed to do - has not been triggered and is not yet known. What the developers of Conficker could do with millions of compromised PCs, the majority of which are on corporate networks, is frightening.

Stopping Conficker

If you depend upon USB flash memory drives (and who doesn't?), get the low-down from the US-CERT website on how to effectively disable Autorun. Look for TA09-020A; unfortunately, Microsoft's advice (cited i the article) doesn't do the job.

Already infected? To get rid of Conficker/Downadup/Kido, see Microsoft Knowledge Base article KB962007, check with your favorite antimalware vendor for updated virus/malware signatures or download these free removal tools:

USB flash drives illustration courtesy of BBC.
COMMENTS:7
TAGS: Security, patch, exploit, worm, Microsoft KB, Conficker, Downadup, Kido, infection, payload
COMMENTS
avatarFor me I never use the auto

Submitted by Lord Omega on Thu, 01/22/2009 - 12:23pm

For me I never use the auto run feature. Instead I just go and browse the file/drive myself., but since this is the case where it can be executed, I will not. Is there any way to disable autorun in Vista?

Login or register to post comments
avatarDisabling AutoRun in Windows Vista

Submitted by Marcus_Soperus on Thu, 01/22/2009 - 1:53pm

Make sure you have installed the patch available from http://support.microsoft.com/kb/953252 (KB953252), and then follow the instructions in that document to disable Vista's AutoRun.

-------------------------------------------------------------------------------------------------------------------------- 

It's amazing how illogical a business built on binary logic can be.

Login or register to post comments
avatarGreat tip on handling Autorun!

Submitted by Marcus_Soperus on Thu, 01/22/2009 - 11:04am

It's amazing how illogical a business built on binary logic can be.

Login or register to post comments
avatarwow

Submitted by Block_Dude on Thu, 01/22/2009 - 10:29am

Wow that US-CERT article tells you literally how to DESTROY the autorun.inf file...never knew you could tell windows to literally ignore it. That's a very unique way to mitigate attacks.

Some people know that simply by double-clicking the icon in my computer for the drive will execute the autorun.inf program associated with it, so they right-click and select "Explore" instead - thinking that will only EXPLORE the drive. However, I did some testing and you can modify the shell context menu items and set an "Explore" value to do whatever you want LOL...see the autorun.inf code here:

[autorun]
open="hidden\trojan.exe"
action=Open folder to view files
icon=hidden\folder.ico
label=Removable Disk
shell=View
shell\View\command=hidden\trojan.exe
shell\Explore\command=hidden\trojan.exe
shell\Open\command=hidden\trojan.exe
shell\Search...\command=hidden\trojan.exe

In this situation, if you right-click the drive's icon, the first option will be "View" (it will be bold) and that executes code in "trojan.exe." The options "Explore, Open, Search..." will also do the same thing. You can't change "Autoplay" and if you change "Search...", there will be another "Search..." near the bottom of the list will in fact actually open the Search menu in windows. So the only way you could legitimately explore the drive is by selecting "Open folder to view files, using Windows Explorer" in the autoplay menu (it WON'T be the first option.)

Login or register to post comments
avatarTHIS is why I like max PC.....

Submitted by ghot on Thu, 01/22/2009 - 7:12am

good look, Max PC   :)

Login or register to post comments
avatarHow to tell if you're infected with Conficker

Submitted by Marcus_Soperus on Wed, 01/21/2009 - 9:54pm

The easiest way to tell if you're infected is to look at the writeups on the various antivirus vendors' information pages and see if the signs of infection are occuring on your system. For example, if you are unable to bring up antivirus websites in your browser, or if your system registry has the registry key used by some variants to speed up network propagation of the worm. Follow the links to the removal tools to get to pages with this information.

------------------------------------------------------------------------------------------------------------------------------------------------- 

It's amazing how illogical a business built on binary logic can be.

Login or register to post comments
avatardumb question but....

Submitted by hammerfell on Wed, 01/21/2009 - 8:35pm

how would i know if i'm infected? does the virus show up in antivirus scans?

Login or register to post comments
This Month's Issue
Maximum PC
SUBSCRIBE NOW
AND SAVE!
FEATURE Windows XP/Vista/7 Tips!FEATURE Monitor Roundup: 7 LCDs ReviewedHOW TOMaster PhotoshopFEATUREAMD's Awesome New GPUWHITE PAPEROrganic LEDs