Update on Conficker.C – Security Labs Alert


 

Update on Conficker.C – Security Labs Alert

Websense has a fairly comprehensive blog post about Conficker up at the link above.  There are some technical details in it, so I’ll do my best to clear it up a little.  I strongly encourage you to read their article as well as this post as the source is always more accurate then any translations.

If you’re a subscriber or customer of Websense, then you should be protected.  But diligence is still needed.  If you’re not a subscriber or customer, then you definitely need diligence.

I’ll break down their post.  Some of it will be redundant and some of it will be obvious.  At the end, I’ll link you to sites with information on how to do the things that you need, but aren’t sure about.

First Things First: Protect Yourself.

From their post, the Conficker worm spreads in three ways.  Through a security hole that Microsoft patched last October (MS08-067), through networks and network shares (NetBIOS), and through removable media (Autorun and Autoplay).

So what you need to do are three things. 

1.  Update your computer with all of the security updates that are available.  Especially the one for MS08-067.

2.  Use strong passwords for all of your accounts (and disable your Administrator account).  This means the password should follow some simple rules a) Do not use common words or things that are easily guessed b) be at least 6 to 8 characters long c) combine Capital and lowercase letters and Special Characters (!@#($%^&*() and d) changed on a regular basis (most corporate environments make you change them every 90 days). 

3.  Disable the Auto Play and AutoRun features in your computer.  It will be a minor hassle in the end (as you will actually have to do something to make your favorite CD or DVD run), but given the choice of having to do something or having a virus do something on it’s own, I’d say it’s worth it.

Check to see if you’re already infected.

You can find out if you’re infected by trying to go to a number of security-related sites or even Microsoft’s website.  This link will take you to a knowledge-base article at Microsoft’s website that will give you more information.  If you can’t get to a security site, try a regular site like google or yahoo before you start to panic.  If you don’t have Internet Access, you don’t necessarily have an infection.

Preserve the Investment.

Ironically, the variant of Conficker that we’re hearing the most about (.C) doesn’t propagate.  It’s just sitting there checking in every day like a good little soldier…  So far, it hasn’t received any commands or updates.  However, the other three versions of Conficker are still propagating (spreading).

They also worked on improving it’s protection mechanisms.  What this means is that while the first three variants were designed to spread as quickly as possible, this one is designed to sit and hide until it’s time…  For what, no one knows (except the people who are running the worm’s controls).

April 1……

April 1 is hard-coded into the worm.  This much, the security people have found.  They have ideas about what will happen, but they aren’t positive.  There may be more things, or just the things they’ve found.  And the creators may suddenly add more to it at any time.

The other variants of Conficker had 250 domains that they checked for updates.  The security researchers blocked those domains, so they’re effectively useless now.  On April 1, Conficker.C will suddenly generate a list of 50,000 domain names, and try to update to 500 of them.  The hopes by the creators are that the security researchers won’t be able to catch the ones that they are actually using.

The domain generation only affects computers that are already infected.  This doesn’t mean that it will infect new computers.  And April 1, doesn’t mean that the creators will start doing whatever they intend to do with Conficker.  They could start it today, or next year.  With the estimates of 10 million or more computers potentially infected, time is on their side right now.  But, as the article says “Time is money.”  They’re waiting for a reason.  They probably won’t wait long.  And only they know what the reason is.

Predictions…

My prediction is this. April 1 will come and go.  News reporters will probably say that it was a dud.  Then at some point in the future, the creators will use the bot for whatever they intend it for.  Unless they put out an update with another hard-coded date, Conficker will fade into memory and strike silently.

The article’s Predictions:

The authors predict that the worm will propagate again.  Most likely it will use SPAM-based methods.  They predict that the creators will update it, since they have to get as many infected computers as possible.  And the authors predict that if the group is based out of China, they’ll try to get Western connections to help them with whatever they’ve got planned. 

One potential harm that could come up on Wednesday is this.  When the worm generates it’s domains, it will try to get to 500 of them.  This is going to cause a lot of congestion on the Internet.  And if some of the randomly generated domains are legitimate sites, they could be knocked offline (Denial Of Service).

As I find more information, I’ll pass it along to you.

Have a great day:)
Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *