Much has been written about the Conficker worm, also called "Downadup," in recent days. eWEEK has pulled together some general advice for protecting your systems from infection and remediating them should the worm slither by your defenses.
With infections from the Conficker worm still spreading, the good
news is that there are ways to guard against it and clean your machine
if you are infected.
The saga that is the Conficker worm began in earnest in November,
when Microsoft reported a variant of the worm targeted a flaw in the
Windows Server service the company patched in October
. Since then, the worm has gone on to infect millions of machines.
The most prolific variant, identified by Microsoft as
Win32/Conficker.B, spreads not only through the Windows flaw but also
via network shares by logging into machines that use weak
passwords. It also spreads by copying itself to removable media, an attack vector
that has gained steam in the past year.
So what should users do to protect themselves? There are some answers. First is the obvious - apply the Microsoft patch
ensure your antivirus protection is up-to-date. There are also a number
of workarounds for those who for whatever reason are not able to deploy
the patch. For example, users can disable the Server and Computer
Browsing services and block TCP ports 139 and 445 at the firewall.
In addition, all the major security vendors are able to detect Conficker and remove it.
Beyond the obvious, however, there are several things users can do.
First is disabling Windows' AutoRun functionality. AutoRun is a feature
that allows code to run automatically when USB devices are connected to
a computer. It has also increasingly been abused by malware authors to
propagate their wares.
To disable the feature, users have to import the following registry value:
Detailed instructions on how to turn off the AutoRun feature can be found here
As indicated above, Conficker also spreads by copying itself to the
ADMIN$ share of the target machine. According to Microsoft, it firsts
tries to use the credentials of the user currently logged on, which
will work well in environments where the same user account is used for
different computers on the network with full administrative rights. If
that fails, the worm uses a list of user accounts on the target machine
and tries to connect using each user name and a list of weak passwords.
This can be solved by using strong passwords for any user account or file share on the network.
Still, all this leaves the question of what users should clean their
machines if they get infected. Conficker takes the additional step of
attempting to terminate any process with a name that indicates it is an
antivirus program and blocks access to many security vendors' Web sites
as well as Windows update. A list of names the worm recognizes is available here
There are still tools that can be downloaded to remove the malware, however, such as Panda Security's Active Scan site
, which the company says infected machines can still get to.
If you know you are infected and are comfortable doing this, you can
also manually remove the malware. Instructions on how to do that can be found here
Meanwhile, security experts are still speculating what the end-game
is for the hackers behind the worm. Some have speculated that they may
plan to build a massive botnet; others aren't so sure.
"We think this is a wide-scale distraction to hide data breaches,"
said Ryan Sherstobitoff, chief corporate evangelist for Panda Security.
"It does not appear in the variants of Conficker that they are building
a botnet, but that wouldn't surprise us, either. This is an attack we
have not seen in some time and is certainly a warning sign for
something more to come."