Conficker Worm's Infected Over 9 Million PCs - Is Your Work or Home PC One of Them?

Remember Microsoft's rare out-of-band security update from last October, MS08-067? Microsoft warned us then that Windows XP, Windows Server 2003, and Windows 2000 SP4 were especially vulnerable to being attacked. Windows Update probably took care of patching your home computer. However, companies and individuals that were slow to patch their fleets of PCs with KB958644 could find their computers now infected by a nasty worm called Conficker, Downadup or Kido.

How big a deal is Conficker/Downadup? According to F-Secure, the number of infected machines went from 2.4 million to 8.9 million in just four days as of last Friday.  Panda Security now estimates that as many as one in every 16 PCs may be infected. F-Secure wraps up its analysis by saying "The situation with Downadup is not getting better. It's getting worse." Panda compares the outbreak with the legendary Kournikova (2001) and Blaster (2003) outbreaks.

The Conficker/Downadup family of worms is a nasty bunch for several reasons:

According to F-Secure, recent variants of Conficker attach themselves to several processes, disable Windows security services such as Windows Defender, Windows Error Reporting Services, and others, and create a registry entry for faster propagation across a network.

As Symantec points out, the W32.Downadup.B variant not only exploit the original Windows Server Service RPC Handling Remote Code variation, but can also spread through infected USB flash memory drives and by cracking weak network passwords. These latter methods are widely used by Conficker/Downadup to attack corporate networks.

Conficker/Downadup.B also infects mapped drives with autorun.inf files that spread the worm and blocks DNS requests to security sites to prevent downloading of updated antivirus and antimalware programs.

Perhaps the scariest facts about Conficker, though, are these:

• Conficker generates hundreds of domain names daily, but will only use a single one of the domains listed for downloading malicious files, making it very difficult to trace the actual infection sites.
• Conficker's payload - what it was designed to do - has not been triggered and is not yet known. What the developers of Conficker could do with millions of compromised PCs, the majority of which are on corporate networks, is frightening.

Stopping Conficker

If you depend upon USB flash memory drives (and who doesn't?), get the low-down from the US-CERT website on how to effectively disable Autorun. Look for TA09-020A; unfortunately, Microsoft's advice (cited i the article) doesn't do the job.

Already infected? To get rid of Conficker/Downadup/Kido, see Microsoft Knowledge Base article KB962007, check with your favorite antimalware vendor for updated virus/malware signatures or download these free removal tools:

• F-Secure's Downadup removal page
• Symantec's Conficker removal page
• Microsoft's Malicious Software Removal Tool page

USB flash drives illustration courtesy of BBC.