April 1. The day of jokes, pranks, and playing around with your friends, family, and coworkers. This April Fools Day proves to take the idea to a new level. Thanks to the Conficker (or Downup) worm. There have been worms and viruses in the past, that have set up specific dates to unleash their payloads.
Michelangelo was going to use March 6 (his birthday). But it was an easy one to trick. Simply change the date on your computer to March 7, and it didn’t fire. Of course this was in the days of DOS and the early days of the Internet.
More recently was the MyDoom worm (and it’s variants) that picked a specific date to launch DoS (Denial Of Service) attacks at Microsoft along with SCO and other sites. However, the creator made some slight mistakes. They specified the URL’s for the sites, and they made them easy to detect. Plus some of the URL’s were incorrect. So, the sites simply had to make slight changes and it thwarted the attack.
Whether Conficker will be a grand-slam or a dud remains to be seen. However, there may be between 9 and 15 million PC’s that are infected, so there are a relative number of people who are sitting on pins and needles. And that’s just the PC’s that have been scanned for the virus. Who knows how many haven’t been scanned yet?
Some of the symptoms are not noticeable by the regular user. These include account policies being changed; disabling task manager and the error reporting service; and automatic updates being disabled. However the sluggishness in DNS responses and congestion on the network will be noticed. Of course the average user won’t understand that these are being caused by the virus—they’ll blame other outside factors.
The only way the average user will notice that they can’t go to anti-virus or security sites is if they’re actively trying to find something. So, in short, unless you’ve actively tried to find out about a virus (or wanted to get more information on your antivirus), or you tried to do a manual update for Windows, you probably don’t even know if you’re infected.
This time around, you can’t just set your date ahead. Windows doesn’t play nice if you do that. And the worm checks various web sites for the date and time. You need to get a removal tool or do an online scan in order to take care of the problem. Now, how do you do this when Conficker will block the sites. Any method is going to require a computer that is not infected. You’re going to have to download the removal tools from the antivirus sites, or download a “Live CD” of a linux distro and use that to boot (and scan) the infected computer.
BE CAREFUL about using a USB thumb drive that has been plugged into the infected computer on a non-infected computer. Conficker has the ability to infect computers through the USB drive. It does this by creating an autorun.inf file on the USB drive, which will execute the virus instead of opening the folder for you to view.
From what I’m reading, it sounds like the known major event on April 1 is that the worm will try to get updates from 500 sites at a time, instead of the 250 that it gets them from now. As of now, there hasn’t been an update on any site. That doesn’t mean that there will or won’t be on on Apri 1 (or even in 20 minutes for that matter).
Here are some links for you to check out. If they don’t work, let me know and I’ll find you an updated one that will (as some are to security and anti-virus sites).
Internet Storm Center Diary on Conficker This is a one-stop-shop for a lot of information on Conficker. At the tie that I’m posting this, the last update was on Saturday. So the information should be pretty accurate.
InternetNews.com article on Conficker This one has one quote that I don’t agree with. From Ron Meyran at Radware. He said that if you’re running freeware antivirus programs, you’ll probably be infected. If it’s a reputable freeware program like Avast, F-Secure, AVG, or a few others you shouldn’t have to worry. If it’s something like “Stop Sign” or the ones that you see on late night television, I would check into a different brand.
Ottawa Citizen — Computer Worm no cause for alarm This is a decent article that puts it into plain English. They talk about how the media has hyped Conficker into something that it may not be. Although what’s to say that they haven’t given the creators a few ideas?
US-CERT How to Disable Auto Play while this isn’t necessarily about Conficker, it’s important to know. Conficker isn’t the first (or only) worm to use Auto Play.
Wikipedia article on Conficker This is where I began reading about Conficker. I would put a little more faith in the security sites, and take this with a grain of salt. But it still has some useful information.
My take on this is that if you’re running an older version of Windows (Pre-XP SP2 or Pre- 2000 SP4) and I would ask WHYYYYYYYYYYYY????? or if you’re running an illegal copy of Windows, haven’t updated Windows in the past 6 months (October is when the vulnerability that Conficker uses was patched), or don’t have any antivirus program installed (or haven’t updated it)—you’re in trouble. IF not from Conficker then you’ll get hit by something eventually. It’s like playing Russian Roulette. You’ve spun the cylinder once and are just pulling the trigger. Sooner or later, the gun will go off.
If you are running a fully-patched, legal version of Windows (Post XP-SP2 or 2000 SP4) and have updated your antivirus program, you should be ok. And if you’re running Macintosh or Linux operating systems, you’ll just sit back on April 1 and laugh… For now, at least.
Have a great day:)