Computer911 4.4.09:”Conficker”

You most likely have heard it by now…. There’s a new worm infection preparing to destroy the world!

Well, If you listen to national media, you’ve undoubtedly heard of the Conficker Worm. Thanks to over hyped media coverage, conficker has gained infamy in the press and within IT security circles. Unfortunately all the hype has lead to rumors, fear, and of course,misinformation .So before you start to panic, let’s see if we can clear up the myths, half truths, and outright lies surrounding the Conficker worm.

I’m going to attempt to explain it the best I can without speaking to much Techno-babble.

The Conficker worm has been making headlines for several months, thanks in large part to the genius that allows it to shift both its attack method, and how it operates once it has infiltrated a computer.

There is an actual conficker worm. Actually there are now three known variations of it.

Conficker.A’s initial attack took advantage of a security flaw Microsoft had actually patched several months prior; any system with the MS08-67 security update was immune to the initial round of infections. Believe it or not it’s actually been theorized that the worm initially latched on to a relatively small group of enterprise computers that hadn’t been properly updated.

Conficker.B is a worm that propagates via removable drives, network shares, and by exploiting the same Windows Server Service that the initial variant used (MS08-067). The worm disables security services, blocks access to security related websites and opens the affected system to outside attacks. It also attempts to prevent its removal by protecting itself from deletion or modification. Once it has gained access to a Pc, Conficker.b copies itself to multiple directories on the host system. It also creates .tmp files in your system32 directory, and deletes them as it finishes running it’s code. Jeff and I have seen it try to hide as a system driver, an installer, and even as a windows update service.

The B variant evolved into an infection that could be spread on thumb drives and other removable storage. It saves a hidden copy of itself on the thumb drive (or other media) along with an autorun file that is activated immediately upon the Pc recognizing the device you plug in. Since most computers have the autorun option enabled ( when you insert cd/dvd program and it starts up, the autorun feature in what allows it to do so), this was a phenomenally successful way to spread the infection. Also, most XP and vista machines have default file shares turned on, Conficker.B uses this and spreads itself via windows file sharing. If successful, the worm drops a copy of itself in the shared directory using a variable filename. It then tries to add a scheduled job to run this copy on the newly compromised system.

The worm attempts to block running applications from accessing websites related to computer security, and disables your current antivirus from updating. It also deletes a registry entry which deactivates your Windows Security Center notifications, so you won’t have a clue that it has infected your system.

Conficker.B resets all system restore points and deletes all saved system restore points on the compromised system so that you cannot restore to a date preceding the infection.

Both the “A” and “B” variants used a group of about 500 randaomly named websites to update itself. It periodically connects to the sites looking for updates or rewrites of it’s code. Allowing it to adapt to new security measures meant to stop the worm

About three weeks ago, a supergeek like myslef was performing a system analysis and noticed that remnants of the B variant had added a new DLL file, presumably from one of the previously mentioned websites. It’s since been discovered that there is indeed a new variant, aptly named Variant “C”.

Variant C represents the third major revision of the Conficker malware family. Unlike versiona “A” and “B” which were quite similar in structure, C distinguishes itself as a significant revision to the Conficker strain. In addition to the layers of encryption that was used to protect A and B from reverse engineering, the latest version has hidden the newest code and instructions under a significantly upgraded layer of encryption in order to hinder the experts from analyzing it further.

Some industry experts estimate that as much as 85% of the source code was rewritten in the C variant. It’s been further theorized that this was in response to the advances that Conficker Cabal which recently blocked all domain registrations associated with the A and B strains,and was making significant headway against the spread of the worm. C now selects its update sites from a pool of over 50,000 randomly generated domain name candidates each day. Remember that A and B only had 500 or so sites to update from.

Alright, by now, you’re probably wondering why someone would put all of this effort into writing a virus or worm. Of course I can’t speak for the authors, but I’d guess that these guys have some pretty big plans.

At its core, the main purpose of Conficker is to provide the authors with a secure, and highly efficient way of taking instant control of the processing power, and Internet connections of millions of PCs worldwide. Thankfully brings me to the point of this article. On April 1^st 2009, it is rumored that the Conficker C variant will do something.

But what? Who knows. It most likely won’t harm your computer. But, it’s far from guaranteed.

Maybe this particular worm is getting so much press and hype because of its clear potential to do harm. Among the long history of malware infections, not many can claim that they sustained a worldwide infiltration that infected millions of computers. That’s scary enough in it’s own right. Maybe the authors will run a highly profitable Internet fraud scheme on a worldwide scale, or maybe the creators will harness all that available computer power and utilize it as a very destructive weapon. Imagine what could happen if millions of computers were instructed to attack a server at a government installation. Why stop there? With that much power the authors could disrupt the the fabric of the Internet itself.

So what can you do to protect your Pc?

First thing is first, you need to make sure you have the MS08-067patch from Microsoft. So Click here to access the web page for downloading the patch.

It would be a good idea to then run Windows Update and install all critical and recommended updates. In the future, because this will surely not be the last time we’ll see these types of Worms, make sure that Windows Update is set to automatically download updates as they are issued (we’ll cover that next week).

Next, you need to disable the AutoRun feature. There are two separate sets of steps to take depending on which operating system you are using.

Windows XP, 2000, 2003: Click START then RUN Type GPEDIT.MSC into the OPEN box and click OK Under Computer Configuration, click Administrative Templates, and then System Right click on Turn off Autoplay (Disable Autoplay on Win 2000) and select Properties Click Enabled, and then in the drop down select All Drives. Click OK and close the GP Editor Reboot

Windows Vista:

Click START, type GPEDIT.MSC in the search box and hit enter

Note: You might need to enter your administrator password at this point

Under Computer Configuration, expand both Administrative Templates and Windows Components, and then click Autoplay Policies

Double click Turn off Autoplay

Reboot

Finally, the largest prevention method from the Conficker infection is a solid and strong password. Using a password that’s easy to guess, located in a dictionary of any language, or less than eight characters is not recommended.

That’s about it. Thanks for visiting the site. Remember that you can hear us on WFXD 103.3 from almost all corners of the Upper Peninsula every Saturday at 11AM EST.

Tags: Conficker, News, Radio Show, safety, virus, Windows, worm