Gallery

You've been Conficked...

Posted on 30 Mar 2009 at 15:52

Davey Winder gets to grips with the Conficker worm and discovers that prevention is better than cure.

Its third option, and the one that many of my friends in security research labs around the world reckon could be the real secret of this worm's success, is to copy itself to removable media, including the now ubiquitous USB memory stick. This is where it gets clever, by simply adding an inf file that makes the most of the fact that plenty of users don't switch off Windows' default AutoPlay behaviour - insert an infected memory stick and the AutoPlay options dialog pops up, to which Conficker will have added an extra option. While the genuine "Open folder to view files using Windows Explorer" remains, there's another that offers to "Open folder to view files - publisher not specified". This plays on a social-engineering concept: that most people are nosey. If you find a USB stick that offers you the opportunity to take a peek at its contents, human nature dictates that most of you will do just that. By making it look like there's a folder with something to view, Conficker ensures that people will click it, and by doing so execute the worm itself.

Although pretty much any unpatched Windows system is at risk, the most vulnerable appear to be Windows 2000, XP and Server 2003 according to Microsoft. Given that XP SP2 and XP SP3 still account for the lion's share of installed Windows systems world-wide, it should come as no surprise that these are being targeted. Vista and Server 2008 users shouldn't feel complacent, though, since there's still a risk of infection, albeit a reduced one. Conficker is able to use password cracking to get around the authenticated access barrier that these systems erect, and there's always the USB key route to which they're just as vulnerable. Even Windows 7 users should take care as Microsoft admits that, while those who have downloaded the Windows 7 beta are safe, those running Windows 7 pre-beta aren't safe if it remains unpatched.

How do I know if I'm infected?

Now you know what it is and how it spreads, how do you know if your computer is actually infected by the Conficker worm? Strangely enough, you're more likely to be infected if you're a business user - anywhere from the SME arena right up to the large enterprise. Indeed, the Ministry of Defence is believed to have been caught out by Conficker, which got into the desktop communication systems used aboard Royal Navy warships and submarines. There are also reports of some 800 computers at a large NHS hospital trust being hit. The reason is straightforward, namely that home users are more likely to let their systems automatically download and apply Windows updates, whereas businesses are less likely to do so, or to regularly manually update their desktops and servers for that matter. While it would be nice to think that everyone is at least protected by some up-to-date antivirus software or security system, even that assumption seems a little naive in the real world. The best way to know if you're infected is to let a good antivirus suite tell you, but there are some clues that can help, such as corporate account lockout policies getting tripped due to passwords being changed, or Error Reporting Services being disabled. Microsoft points out that the Background Intelligent Transfer Service (BITS) and Windows Defender will be disabled, and domain controllers will respond more slowly to client requests.

The easiest way to tell is to try visiting a security related website or two, and if you get a bunch of 404 "site not found" errors - certainly, if you get more than one - the chances are you could be infected, as Conficker blocks a list of security-related domain names to prevent you downloading the tools to eradicate it. As well as blocking access to just about every security vendor's site, this list includes keywords such as malware, rootkit, spyware and virus (although, oddly enough, not "worm" itself) to prevent access to any URL that contains any of them. Security vendors have been quick to respond to this challenge: F-Secure, for example, has a Conficker removal tool that it makes available via FTP using a numerical IP address to bypass Conficker's hostname filters (ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip).