April 1st Virus Attack

I wrote a short piece for my company's newsletter about the Conficker virus, which is scheduled to go active 4/1/09:

Conficker

On April 1, the Conficker worm (aka Downadup) will expand its infection of Windows systems. Although exactly what payload this worm will execute is not known, it’s expected that, at the least, it will start taking more steps to protect itself. After 4/1, machines infected with the “C” variant of the worm may not be able to get security updates or patches from Microsoft and from many other vendors. The creators of the worm will also start using a communications system that is more difficult for security researchers to interrupt.

Security researchers don’t know the exact purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. Most likely, the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs, and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service; deletes previous restore points; disables many security services; blocks access to a number of security web sites; and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.

Be sure that all systems (workstations. laptops, servers, perimeter devices) are patched and scanned with the latest signatures.

Links:

A good backgrounder on Conficker (aka Downadup) from Symantec: http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm

Continual updates on Conficker via SANS: http://isc.sans.org/diary.html?storyid=6043&rss

Checkpoint Smart Defense Services offers a mitigating protection against this for when you don’t have time to patch: http://www.checkpoint.com/defense/advisories/public/announcement/012209-downadup-confiker-worm.html

More technical info from McAfee, http://vil.nai.com/vil/content/v_153464.htm, and McAfee’s latest AVERT Stinger app runs a quick scan: http://vil.nai.com/vil/conficker_stinger/Stinger_Coficker.exe

MS Security bulletin: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Also, a $250K reward offered by MS for arrest and conviction of the virus authors: http://blogs.msdn.com/wael/archive/2009/02/14/conficker.aspx