What You Need to Know About Conficker and How to Avoid Being a Victim (Updated for April 1st)

Paul Lilly — Wed, 01 Apr 2009 13:00:00 -0500

April Fools' Day might be all fun and games for some, but if you manage to fall prey to the Conficker worm, it's no laughing matter. As reported earlier this month by our very own Mark Soper, the third version of Conficker (Conficker.c) is set to wreak havoc tomorrow, April 1st. Here's what you need to know.

What is Conficker?

Conficker is one of the nastiest computer worms in recent history to go on the warpath against Windows-based PCs. First surfacing in October, 2008, Conficker targets Windows 2000, XP, Vista, Server 2003, Server 2008, Server 2008 R2 Beta, and even Windows 7. To date, Conficker has infected over 9 million PCs, shut down French and British military assests, and prompted a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.

What Does it Do?

The first two versions of Conficker -- variants A and B -- exploit a vulnerability in the Server Service on Windows-based PCs to take advantage of an already-infected source computer. Once infected, the worm goes to work exploiting the network hole, cracking administrator passwords, prevents access to security websites and services for automatic updates, disables backup services, erases recently saved documents, and among other things, also leaves you vulnerable to other infected machines.

What Happens Tomorrow?

One of the scariest things about Conficker, including Conficker.c, is that its full potential isn't known. Come tomorrow, those infected might be prompted to buy fake sofware products, or it could start monitoring your keystrokes to lift sensitive information like banking passwords. Files could end up deleted, or it might transform your computer into a zombie PC while staying under the radar. Whatever it ends up doing, it won't be good, and you need to take proper precautions right now.

How to Tell if You're Already Infected

Once infected, Conficker seals up the hole it used to infiltrate your system preventing other malware from getting in. Because of this, it can be difficult for IT pros to tell which computers have been patched and which might have a fake Conficker patch. But according to the nonprofit Honeynet Project, Conficker.c's buggy code has made it somewhat easy to detect using a newly released proof-of-concept scanner.

"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Other telltale signs that you might be infected with Conficker is if you haven't received any automatic updates from Windows in March, if you're unable to update your antivirus program, or if your security software is running abnormally slow as of late. You can also try accessing major AV sites, as Conficker will attempt to block these.

The Department of Homeland Security (DHS) has released a computer worm detection tool, along with a bevy of other information, which can be found here.

How Can I Avoid Infection?

Drain your savings account, buy a Mac, and hang out at Starbucks all day long. Or to appease the Linux crowd, ditch Windows and dive into Ubuntu. But you don't need to learn a brand new OS or invest in an overpriced computer to avoid Conficker.

One way to avoid Conficker is to disable AutoRun. Details on how to properly do so can be found here. And as with all security-related threats, safe computing habits apply. Avoid websites you're not familiar with, ensure that Windows is fully patched, invest in a security program and download the latest updates, and never download from an unknown or shady source.

**Holy S#*t, I'm Infected!**

We'll assume here you're talking about your PC (if not, stop scratching it and consult a doctor). There are a number of Conficker removal tools available, such as those found here, here, and here. If going this route, it's a good idea to download the tool(s) from a clean PC rather than your infected one. Note that Conficker also blocks tools with 'Conficker' in the name, so be prepared to rename the file(s) if necessary.

Another option is to create a bootable CD/DVD or USB thumb drive and outfit it with security programs. By doing so, you'll bypass Windows entirely and have a clean slate from which to work from. Just be sure to create bootable media from a clean PC. Also check your security vendor's website for information on creating a bootable rescue disk.

Finally, to err on the extreme side of caution, you can start fresh with a reinstallation of Windows. Whether or not you resort to this, it's a good idea to backup any important data -- work documents, family photos, groovy music -- right away.

Next page: April 1st update

April 1, 2009 Update

We won't fault anyone who, after reading our Conficker coverage, when and constructed an aluminum foil deflector beanie (see here for a great how-to), and you might even choose to still wear it. But we do encourage taking a collective sigh of relief with us. It's now April 1st, and Conficker.c doesn't look like its going to cause the kind of mass damage that made the worm famous. Or at least it hasn't happened yet.

According to early reports, Conficker.c has caused only a smatttering of security breaches across the globe, most of which have occured in Asia. It's believed that somewhere between 1 million and 2 million computers are actively infected with the worm, significantly less than the 9 million it claimed in January. And while Asia has been bearing the brunt of infections, the infection rate in North America sits at only 5.8 percent, according to IBM ISS Managed Security Services.

I Knew Nothing Much Would Happen!

We envy your 8-ball, and while it's entirely possible that nothing much more will happen, there's still a chance that Conficker.c could wreak more havoc before all is said and done. Some security experts believe it will take days before we truly know what Conficker.c is up to, noting that the worm has increased the number of DNS resolutions, expanding its list of domains and perhaps waiting for further instructions. And yet others are decidely less worried.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaing tools for Conficker-infected computers."

Sum it Up for Me

Put simply, Conficker.c has yet to do any widespread damage, and it might never cause any real harm. But it's also shown some activity, which could indicate more to come. Continue practicing safe computing, perhaps erring on the side of caution for the next few days, and it really shouldn't matter one way or the other.

The Best Prank Ever: Make All the Phones in Your Office Ring Simultaneously

Will Smith — Mon, 17 Mar 2008 12:49:52 -0500

Ladies and gentlemen! Boys and girls! Children of all ages! Have we got a killer prank for you, perfect to pull on your co-workers. And, with April 1 just around the corner, you need to have a fresh stock of tricks in your bag.

It’s going to cost you ten bucks, but the outcome and hilarity are worth every penny. The first thing you need to do is install Skype and create an account, if you don’t already have one. Then, you’ll need to load up the account with cash--$10 is the minimum you can buy, but the actual prank won’t cost you a cent, and you’ll have ten bucks worth of Skype credit to make cheap long distance calls with when you’re done. You need to buy the Skype credit well in advance of the designated pranking hour, sometimes Skype takes a few hours to credit your account.

The hard part is collecting the numbers and typing them in to Skype. After that, it's nothing but laughs!

Skype lets you run a conference call with up to 24 people simultaneously, but the trick is that they can be a mixture of Skype accounts and phone numbers. To setup your call, you need to do is start a conference by clicking on the conference button on the main Contacts tab, then type in the numbers of the people you want to call. For maximum LOLs, I recommend making every phone in your work area ring—desk, fax, and personal cell numbers, if you have everyone’s numbers. When you press the Start Call button at the bottom of the window, all the phones in your office will ring at once. Caller ID will show Unknown Caller or 000-000-0000, and when people pick up, they’ll hear each other talking, but no other callers. The effect in and of itself is quite eerie and hilarious, but we've got three variants on the next page if you want to take this one step further over the line.

The Rick Roll

Grab some popular sound clips from the web, and make a quickie sound board using the Emotion Sounds feature of the Pamela (www.pamela-systems.com) plugin for Skype. You’ll need to chop your sound bites into small WAV or MP3 files, then open Pamela and configure the Mega Emotion Sounds Player. You can open it up by starting Pamela, right-clicking on the Pamela icon in the system tray, and selecting Show emotion sounds player. Add your sound files by clicking on the plus sign in the top right of the window. With a little Googling, you should be able to track down soundboards that include the relevant clips from pretty much any popular movie. Hell, you could even simultaneously Rick Roll two dozen people by phone. Now that's ground breaking!

The "Phone Glitch"

Setup two conference calls on two different machines. With one, call everyone’s desk phones. Act surprised, but suggest that it may just be a glitch in the building's phone system. After the hubbub has started to die down, but before everyone else is back to work, hit the button to ring everyone’s cell phones. With a little acting on your part, you can have your co-workers calling for Mulder and Scully in a matter of minutes, but be sure to let them off the hook fairly quickly. This variant isn’t as much funny as it is terrifying. I’d only do this if I didn’t like my coworkers.

The Patsy

Our third variant requires a little more setup, but the potential for hilarity is high. You’ll need either an innocent patsy, or an accomplice who can keep his act together for the length of the call. What you need to do is call everyone in your office, plus the accomplice/pawn at the same time. If you use the pawn, we recommend against bothering actual real people or businesses, but instead calling some sort of funny automated hotline, or even just the central switchboard for your office. If you choose to go the accomplice route, have him ham it up with some personalized info, such as, “Hello, I’m calling from the public health department for Bob Jones. It’s regarding his rash. Please call us back at your earliest convenience at 415-555-1284.” Or something similar.

That’s it for this installment of The Best Prank Ever. We’ll be back later this week with more new and glorious pranks, perfect for your April Fools Day shenanigans. If you liked our Skype prank, let us know how it went by posting a comment below! And, if you really liked the story, we'd love it if you'd give us a Digg!

Maximum PC april fools RSS Feed