The Eight Things You Need to Know about 'Conficker'

The Eight Things You Need to Know about 'Conficker'
03.30.09

From pcmag.com

by Larry Seltzer

On Wednesday, April 1, the latest variant of the Conficker (also known as Downadup and Kido) work will download new instructions. The sophistication of this worm and its botnet have many concerned, although the amount of legitimate concern is a matter of debate.

If you're concerned, then here are the eight most important things to know about Conficker, updated on Monday morning:

1. Researchers have discovered what they're calling a signature for Conficker, and developed a scanner based upon the technology.

2. The overwhelming majority of systems infected with Conficker were infected through a vulnerability in the Windows RPC facilities. This vulnerability was patched in October. If you installed that patch before Conficker came out (late December '08) then you were protected and still are. If you haven't installed the update then it's essential that you do so. Windows Vista is technically vulnerable in this way, but the exploit is almost impossible to execute on it. Conficker is basically an XP problem.

3. Conficker can also spread through network shares, including those that have weak passwords; the worm executes a "dictionary attack" in which a list of common passwords (think "password", "asdf", etc) are used to gain access to the share. So if you find new executables on such drives they may be infected. Treat them as you would a program that got e-mailed to you unsolicited, and we hope that means you'll avoid it and report it to a network admin if you have one. A good anti-malware program will detect it at this stage.

4. It follows from this advice that you are also better off by using complex and unobvious passwords, especially those that use both numerals and letters and especially if they include punctuation.

5. Conficker can also spread by putting itself on removable drives like USB drives. When it does so it sets the Autorun on those drives to run itself. So if you insert such a drive you could, at the least, get a standard Windows Autoplay menu offering Conficker among its options. Sometimes it will disguise itself as the Windows option for opening Windows Explorer for the inserted drive. Once again, a good anti-malware program will detect it at this stage.

6. Anti-malware software isn't perfect but it has a very high rate of success. Conficker is about as high-profile as malware gets; all the companies have it and understand it well, and so if you have anti-virus software and keep it up to date it's hard for you to get attacked.

7. Conficker can interfere with the ability of Windows and anti-malware programs to update themselves. Ensure that they are doing so by checking the last update date/time of your anti-malware software and by checking Windows Update manually. Leave no critical updates uninstalled.

8. Free Conficker/Downadup Cleaning Tools:
McAfee Stinger
ESet EConfickerRemover
Symantec W32.Downadup Removal Tool
F-Secure F-Downadup, FSMRT, more tools
BitDefender single PC and network removal tools
Kaspersky KKiller
Trend Micro

If you use one of these tools to remove Conficker immediately install the MS08-067 patch afterwards.