April 1st Virus Attack
I wrote a short piece for my company's newsletter about the Conficker virus, which is scheduled to go active 4/1/09:
Security researchers don’t know the exact purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. Most likely, the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs, and direct users to online scams and phishing sites.
The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service; deletes previous restore points; disables many security services; blocks access to a number of security web sites; and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.
Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)
It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.
Be sure that all systems (workstations. laptops, servers, perimeter devices) are patched and scanned with the latest signatures.
Links:
A good backgrounder on Conficker (aka Downadup) from Symantec: http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm
Continual updates on Conficker via SANS: http://isc.sans.org/diary.html?storyid=6043&rss
Checkpoint Smart Defense Services offers a mitigating protection against this for when you don’t have time to patch: http://www.checkpoint.com/defense/advisories/public/announcement/012209-downadup-confiker-worm.html
More technical info from McAfee, http://vil.nai.com/vil/content/v_153464.htm, and McAfee’s latest AVERT Stinger app runs a quick scan: http://vil.nai.com/vil/conficker_stinger/Stinger_Coficker.exe
MS Security bulletin: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Also, a $250K reward offered by MS for arrest and conviction of the virus authors: http://blogs.msdn.com/wael/archive/2009/02/14/conficker.aspx