As the Conficker worm continues to dominate headlines, users should keep some things in mind.
Despite the talk of a doomsday, there are a number of Conficker mitigations and tools to help home users and enterprises fight Conficker. The major security vendors have all made detection and removal tools available, and recent research has improved detection even further. There is also no shortage of advice on how to mitigate and remove the worm should your organization’s PCs be infected. This paper from McAfee, for example, discusses how to manually detect (PDF) and fight the worm.
It should also be remembered that the Microsoft vulnerability Conficker exploits has been legitimately patched, and while the worm also spreads via network shares by logging on to machines with weak passwords, following security best practices in regards to password strength mitigates the threat. The worm also spreads through removable media, but again, sound security policy such as disabling AutoRun can address that as well.
With all this in mind, however, users should be wary of scammers abusing search engine results to lure victims to sites with supposed Conficker removal tools.
“If you need malware removal tools, type the URL of your vendor of choice directly into the browser bar and use links on their Website,” blogged Rik Ferguson, solutions architect for Trend Micro. “Do not rely on Google search results at this time, as they may have been ‘optimized’ [by attackers].”
Despite all the measures taken against it, the worm has infected millions of PCs, although those infections are not distributed evenly around the globe. According to IBM Internet Security Systems’ X-Force team, the largest percentage of Conficker-infected PCs-about 44.6 percent-is located in Asia. The next highest is in Europe, which plays host to 31 percent of Conficker-infected PCs. Roughly 6 percent are located in North America.
“[Conficker] really challenges the comprehensive network management practices of an organization,” said Tom Cross, manager of X-Force research. “Extremely well-managed networks have not been affected, but if your IT security is deficient in any one of several different domains-inventory management, windows update, intrusion prevention, anti-virus, managed file sharing, strong password policies-you are likely to have problems with Conficker. “
Cross added, “We are seeing a large number of infections in regions that have seen significant new infrastructure development in the past few years but may not have IT management practices which are as mature, across the board, as they are in the West.”
For all the publicity, it remains unknown what will actually happen April 1 beyond the fact that the worm will be contacting some of the 50,000 domain names it will generate. In fact, some security vendors don’t expect any dramatic explosion of Conficker when April 1 arrives. But that doesn’t mean enterprises should ignore the threat.
“It may update itself on this date or later but … it will happen in the near term because time is the author’s enemy,” said Alfred Huger, vice president of development for Symantec Security Response. “The longer the threat is resident the more likely it will be removed. In this instance the author is highly [motivated] to move quickly. The near term though could be any time in the next month or two.”