While much attention has been paid to April 1 by those interested in the Conficker worm, the fact is that taking some precautions can keep Conficker out of your enterprise altogether. Security researchers have made available a plethora of information about how to detect and remove the worm, as everyone waits to see what will happen next.
As the Conficker worm continues to dominate headlines, users should keep some
things in mind.
Despite the talk of a doomsday, there are a number of Conficker mitigations
and tools to help home users and enterprises fight Conficker. The major
security vendors have all made detection and removal tools available, and
recent research has improved detection even further. There is also no
shortage of advice
on how to mitigate and remove the worm should your
organization's PCs be infected. This paper from McAfee,
for example, discusses how to manually detect
(PDF) and fight the worm.
It should also be remembered that the Microsoft
vulnerability Conficker exploits has been legitimately patched,
the worm also spreads via network shares by logging on to machines with weak
passwords, following security best practices in regards to password strength
mitigates the threat. The worm also spreads through removable media, but again,
sound security policy such as disabling AutoRun
can address that as well.
With all this in mind, however, users should be wary of scammers abusing
search engine results to lure victims to sites with supposed Conficker removal
"If you need malware removal tools, type the URL of your vendor of
choice directly into the browser bar and use links on their Website,"
blogged Rik Ferguson, solutions architect for Trend Micro.
"Do not rely on
Google search results at this time, as they may have been 'optimized' [by
Despite all the measures taken against it, the worm has infected
millions of PCs, although those infections are not distributed
evenly around the globe. According to IBM
Internet Security Systems' X-Force team, the largest percentage of
Conficker-infected PCs-about 44.6 percent-is located in Asia.
The next highest is in Europe, which plays host to 31
percent of Conficker-infected PCs. Roughly 6 percent are located in North
"[Conficker] really challenges the comprehensive network management
practices of an organization," said Tom Cross, manager of X-Force
research. "Extremely well-managed networks have not been affected, but if
your IT security is deficient in any one of several different domains-inventory
management, windows update, intrusion prevention, anti-virus, managed file
sharing, strong password policies-you are likely to have problems with
Cross added, "We are seeing a large number of infections in regions
that have seen significant new infrastructure development in the past few years
but may not have IT management practices which are as mature, across the board,
as they are in the West."
For all the publicity, it remains unknown what will actually happen April 1
beyond the fact that the worm will be contacting some of the 50,000 domain
names it will generate. In fact, some security vendors don't expect any
dramatic explosion of Conficker when April 1 arrives. But that doesn't mean
enterprises should ignore the threat.
"It may update itself on this date or later but ... it will happen in the
near term because time is the author's enemy," said Alfred Huger, vice
president of development for Symantec
Security Response. "The longer the
threat is resident the more likely it will be removed. In this instance the
author is highly [motivated] to move quickly. The near term though could be any
time in the next month or two."