Custom Search

Search My Download Corner

Friday, January 23, 2009

Keep the latest Conficker worm infestation off your PC

By mid-November 2008, the Microsoft Malware Protection Center (MMPC) said in a blog posting that it had collected "over 50 distinct exploits of this vulnerability." However, MMPC said the instances were very limited. Then Conficker.A hit the fan. (McAfee and Microsoft call the worm "Conficker," Sophos uses the name "Confick," and Symantec and F-Secure call it "Downadup"; but it's the same virus.) By Nov. 25, MMPC was raising the alarm on its blog in an attempt to get individuals and — especially — organizations to install the MS08-067 patch, which stops Conficker.A dead in its tracks.

At this point, the Conficker furor should've died down and the worm been relegated to the history books. Two inexorable forces, however, combined in early January 2009 to give the worm new life: system admins who weren't applying key patches and a ferociously fecund variant called Conficker.B.

Conficker.A arrived as a Trojan: in order to infect a PC, somebody had to run an infected program on the machine. It could also try to hit your machine directly, but any sort of firewall would thwart that attack. If the infected system was attached to a network, Conficker.A used the hole (that MS08-067 closes) to spread to other computers on the network. This modus operandi is kinda boring but moderately effective.

Conficker.B uses the Conficker.A approach, plus a whole lot more — as a "blended threat," it's an equal-opportunity infecter.

# Conficker.B uses the old Conficker.A approach: simple Trojans that arrive via e-mail or by downloading an infected program.

# Once a PC on a network is infected, Conficker.B reaches across the network to see whether any of its PCs have not yet patched the MS08-067 hole. After infecting these unprotected PCs, Conficker plugs the MS08-067 hole, presumably so other, similar worms can't get in.

# If Conficker.B finds that it can't get into a computer via the MS08-067 hole, it tries to break in by using the standard Windows admin account, entering each of 248 common passwords. This weak password list (which you'll find under the Analysis tab) includes such all-time favorites as admin, mypass, test, foo, 1111, and many others you may have seen before.

# Once Conficker.B gains entry to a networked machine, it drops a copy of itself onto the target's hard drive and creates a scheduled job that runs the infected file. Conficker.B also loads itself onto all accessible shared folders. Ho-hum.

# Finally, Conficker.B scans and infects all removable devices on the system, including USB drives and external hard drives.

Once a system is infected, Conficker takes a variety of actions, including exploiting several routes that have nothing to do with the Server services. It disables common anti-malware programs and uses DNS modifications to prevent local end-users from surfing to anti-malware-related Web sites (which might be one of the first clues that you're infected). It spreads to mapped file shares and identified removal drives. Once there, it creates a subdirectory folder called Recycler (emulating the Recycle Bin) and places an Autorun.inf file, which may be auto-launched when visited.

It attempts to connect to remote admin drive mappings using hundreds of common, weak passwords, including multiple versions of numbers and letters. If you find an infection on your network, you probably want to check out the list and see if any of your passwords are located there. Using either exploit vector, Conficker is able to infect computers that are fully patched after first exploiting one unpatched network computer. Conficker isn't the first worm to do any of these things, but the most popular worms rarely do anything new.

Guide to cleaning and preventing Conficker
# Step 1: Check your passwords. If you have an administrator account with an easily guessed password, change it. Microsoft provides a guide to strong passwords that includes a link to the company's online password checker. If somebody other than you controls your computer's admin password, make sure that person understands the gravity of this situation.

# Step 2: Make sure you've installed the patch described in MS08-067. Open Control Panel's Add or Remove Programs list to ensure that KB 958644 has been installed. Click Start (plus Run in XP), type appwiz.cpl, and press Enter. In XP, make sure Show updates at the top of the window is checked. In Vista, click View installed updates on the left to see all of your PC's patches.

The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644)[Download Conficker Worm Patch WindowsXP-KB958644-x86-ENU]. If this patch isn't installed, browse to Microsoft's Download Center to retrieve and install it. If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.

# Step 3: Run Microsoft's Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I've heard about. The easiest way to get MSRT is through Windows Update, but if you can't get through to that service on the infected PC, borrow a computer and download the tool from Microsoft's site.

# Step 4: Disable AutoPlay. If Figure 2 doesn't convince you of the risk of using Windows' AutoPlay feature, nothing will. Simply stated, you don't need AutoPlay that much. Follow the post Disabling Auto-Run in Windows comprehensive instructions to disable AutoPlay.

Related Articles:
AutoPatcher Comeback
Disabling Auto-Run in Windows
Run a Conficker removal tool before April 1

View blog reactions


Get USA Made said...

UGGHH ~ why do so many people take pleasure in creating grief for others? Did their mothers not hug them enough?

Post a Comment