Conficker Threat: Fact or Fiction

I’ve been writing about the Conficker worm all week and I’m pleased that nobody has accused me of over blowing the situation. My main goal has been to encourage folks to take the same steps to protect themselves as they should be doing every other day of the year.

Most of Conficker stories late in the week have been discussions on if the media has over sold the story and created an atmosphere of fear. According to The Last WatchDog on Internet Security…

“Many security experts are downplaying the significance of  millions of Conficker-infected PCs initiating an elaborate calling home sequence on April 1.

Still, concerns are growing  about the much firmer grip the bad guys are on the cusp of securing on the corrupted PCs, whether or not they choose to do anything with them on April Fools Day.”

Here are some facts I believe to be true.

USA TODAY: On that date (April 1st) all Conficker-infected PCs will begin trying to connect to 50,000 web domains to receive further instructions.

F-Secure: “The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.”

So, what’s it going to do?  Will the Internet be taken down?  Will a cyberterror attack be launched?  I doubt it.  What people will notice the most are news stories about Conficker. For most of the world, it will be March 31^st when computers in China think it’s April 1^st. So by Tuesday night malware researchers will be able to provide more information.

SRI Internationals Paul Porras has been quoted in many articles as saying...

“April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations…”

This evaluation makes the most sense and fits with the typical behavior of the sophisticated malware that I’ve been researching. The trend lately has been to create massive botnets or what F-Secure reports as GhostNets. The big news today is how “Canadian research uncovers cyber espionage network”. Go Canada!

Bottom line, your computer is a powerful device. Just like your automobile you need to keep your doors locked, provide regular maintenance and don’t put yourself into dangerous situations.

Security Garden: Conficker Information for the Home Computer User  March 27th, 2009

 

Real Conficker Danger is on March 31st

Yesterday, I wrote about the Conficker worm and how it was expected to launch a new attack on April 1^st.  I showed you the reverse engineered code which included a specific date stamp of April 1^st, 2009.

What I forgot, and what everyone else missed is the real danger begins on March 31^st. I woke up this morning remembering that sometime in the world, it’s already tomorrow.

Many years ago I distributed my free WinPatrol program as something called Birthdayware.  On  my birthday each year a message would pop up inviting folks to thank me by wishing me a happy birthday.

Birthdayware Easter Egg

To my surprise, the day before my birthday Emails started to flood my inbox. At first I thought a lot of people had their PC clocks screwed up. Then I looked at the Emails and saw they came from Philippines, Australia, Japan and other countries across the international date line.

It will be March 31^st in most parts of the world when it turns April 1^st across the Pacific. Most reports have indicated a majority of machines currently infected with Conficker are in China. 

Forget April Fools Day and make sure you take steps to protect yourself before March 31^st. Somewhere in the world it will be April 1^st for nearly 48 hours.

Conficker Judgement Day on April 1st

I would never want to be labeled as an “Alarmist’ but I hope my post today will make some folks take some reasonable steps to protect themselves.  After a lot of research and debate I have been convinced that April 1^st is not going to be a good day for the Internet.

I’ve written about the Conficker worm (alias Downadup) a number of times and this may not be the last time I mention it.  There are well over a million Windows PC’s which are currently infected with Conficker.  On April 1^st the infected machines will be reaching out to number of web domains to download an additional component which will contain new instructions. How Conficker will mutate is anyones guess. It could be anything from turning a machine into a spam-bot or launching a widespread cyberterror attack. My guess it will be something designed to make money.

Reverse engineering Conficker exposes April 1st

Complements of Zarestel Ferrer

April 1st will be a day that shows us who's winning the battle against malware.  If your machine doesn't already have all the Windows security patches installed ,I'd unplug from the Internet on April Fools Day. Getting a new computer?  If a new un-patched computer arrives on that day I'd wait until the 2nd before connecting it to the Internet.

So, if you’ve been planning on running the Windows Update service, this would be a good week to do it. If you don’t have a routine back-up plan you might want to back up your important data by the end of the month.

I’m really not trying to be Chicken Little and freak people out. I’m not predicting any kind of global outage. I’m just suggesting that a properly patched Window system is good idea. I’m also not trying to scare you into upgrading to my WinPatrol PLUS to protect yourself. The free version offers just as much protection against this threat.  The key point here is to make sure you have all the security patches available for free from Microsoft.

I’m actually flying to Washington Dulles Airport on April 1^st so I really hope that United Airlines has all their systems protected. 

Update: Real Conficker Danger is on March 31st
It's important to point out that April 1st begins earlier in other parts of the world.  We'll be watching for activity to begin on March 31st from Austrailia, China, Japan, etc...

Update 3/29: Conficker Fact or Fiction

References:

SRI International Conficker C Analysis March 19^th, 2009

CA Security Research Blog

The Last Watch: Countdown to Conficker...

Internet Storm Center: Third party info on conficker

Microsoft: Virus alert about the Win32/Conficker.B worm

Microsoft’s Malicious Software Removal Tool

Microsoft Security Bulletin MS08–067  October 23^rd, 2008

F-Secure WebLog Conficker Q&A  March 26,2009

Leaked Memo says Conficker Pwns Parliament

 

Remove "Downadup" aka Win32/Conficker Infection

Today, Microsoft notified a number of security experts about a known vulnerability and exploitation of Windows Server service (SVCHOST.EXE). Even though Microsoft provided a fix for this vulnerability in October 2008, they say reports of the exploit are on the rise.

In October, Microsoft warned users of a critical Microsoft Security Bulletin MS08-067.

Executive Summary

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

Unfortunately, there seems to be too many unprotected users out in the real world. Microsoft provided details on this infection at its Malware Protection Center.

The following system changes may indicate the presence of this malware:

• The following services are disabled or fail to run:
  
  Windows Update Service
  Background Intelligent Transfer Service
  Windows Defender
  Windows Error Reporting Services
  
  

• Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
  
  HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  "TcpNumConnections" = "0x00FFFFFE"
  
  
• Users may not be able to connect to websites or online services that contain following strings:
  virus, spyware, malware, rootkit, defender, microsoft, symantec, norton, mcafee, trendmicro, sophos, panda, etrust, networkassociates, computerassociates, f-secure, kaspersky, jotti, f-prot, nod32, eset, grisoft, drweb, centralcommand, ahnlab, esafe, avast, avira, quickheal, comodo, clamav, ewido, fortinet, gdata, hacksoft, hauri, ikarus, k7computing, norman, pctools, prevx, rising, securecomputing, sunbelt, emsisoft, arcabit, cpsecure, spamhaus, castlecops, threatexpert, wilderssecurity, windowsupdate
  
  Hmmm, should I feel bad that WinPatrol isn’t included in this list?

I recommend, as does Microsoft to keep your system updated with necessary security patches and updates. At the very least you should download the Microsoft Malicious Software Remove Tool.