We're seeing quite a large number of Conficker worm infections since the start of the New Year and specially since the Conficker.C variant appeared on December 31. It seems that the return to work after the Christmas break has kick-started Conficker again. Daniel Nyström, our Tech Support front man in Sweden, already noticed an increase in infections a few days ago.
As you may recall Conficker is a worm that spreads via networks and USB drives. It attempts to brute force usernames and passwords and takes advantage of Server Service vulnerability in Windows which allows for remote code execution. The worm also auto-updates itself every day from a long list of URLs so it looks like its preparing for a larger attack.
Checking again the SANS activity by port it's obvious this is something you need to worry about:
As posted about a month and a half ago, TruPrevent prevents Conficker worm network infections proactively thanks to a new Policy Rule we pushed out to all our retail products. In addition we've added signature detection for all Conficker variants. I'll post details on manually creating and pushing out TruPrevent Policy Rules on corporate networks as soon as possible.
As a curiosity I was travelling the other day and while connected to the WiFi network of a German airport I noticed the following Conficker worm variant trying to brute force its way into my machine:
The Conficker worm means business so be careful out there. Some preventive steps you should be following if you haven't done so already:
If you're responsible for a network, scan for vulnerable machines (using Baseline Analyzer, Nessus, etc.).
Patch your servers and workstations by visiting Microsoft Security Bulletin MS08-067.
Disinfect infected machines using Malware Radar on networks or ActiveScan for stand-alone PCs.
Turn off AutoRun feature for USB drives on your machines (and ask your Microsoft representative for a global solution to AutoRun).
Make sure your antivirus and security solution is up-to-date on the latest version and signature database.
The Final Countdown
Millions of Windows computers have been infected by a new computer worm dubbed "Conficker." The situation is "not getting better," but rather is "getting worse," according to security software vendor F-Secure.
Read how you can protect your PC here.
In a blog post, F-Secure security researchers report that the number of machines infected by the Downadup worm has skyrocketed from roughly 2.4 million to over 8.9 million in the last four days alone.
Downadup is a malicious worm that "uses computer or network resources to make complete copies of itself," according to F-Secure. And it may also include code or other malware that damages both a computer and network. The worm also goes by the names "Kido" and "Conflicker." Details on how it operates and how to remove it are here.
Once executed, Downadup disables a number of system services, including Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting. The worm then connects to a malicious server, where it downloads additional malware to install on the infected computer. Computerworld provides a more detailed report on Downadup's potential dangers.
Since Downadup uses random extension names to avoid detection, Windows users should make sure their security software is set to scan all files, rather than checking on specific extensions, F-Secure recommends.
The alarmingly high number of Downadup infections led Microsoft last Tuesday to enable its anti-malware utility, Microsoft Software Removal Tool (MSRT), to detect the worm. So it's important that Windows users, if they haven't already, download the latest Microsoft security patch that went out earlier this week.
These tools may be useful for infected systems that need to be cleaned prior to putting the MS08-067 security patch in place.
MS08-067 Conficker worm - Description
http://www.f-secure.com/weblog/archives/00001574.html
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
MS08-067 Conficker worm - F-Secure offers free removal tools
ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
Remember:
please read the text file included in the ZIP for additional details
[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]
I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)
However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted by our labs back in January, but it still applies.
Disconnect the infected computer from the network and the Internet.
Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
Download an one-off ESET application (again, using a non-infected PC) which will remove the worm.
Install the updated anti-virus program.
Re-connect the PC to the network and the Internet.
You might also want to disable Autorun.
Here’s a bit more information about using the standalone utility mentioned in step 4.
If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC or some form of dumb terminal with a C:\ or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).
If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat. It’s more important at this point to check that your AV is installed and updating properly.
It also mentions a couple of options (-autoclean and -reboot). If Conficker isn’t in memory these aren’t very relevant to you. If it is, you’ll probably want to carry on scanning and respond when the utility prompts you. Those options are more relevant to system administrators and power users wanting to run the application from a script and/or on more than one PC. If you want to use them, you’ll have to use them from the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
It may not run with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
I’ve also had someone mention that if the DOS screen comes and goes to quickly to read if there’s no infection. I haven’t been able to replicate that, so have asked for more information.
If you have further questions on this, please visit the support pages at http://www.eset.eu/support.
SEE THE HISTORY[MAIN PAGE FOR MOE TUTORIALS AND TOOLS FOR CONFICKER C REMOVAL]
THE ABOVE MEHOD IS JUST 1 METHOD OUT OF THE MASSES.
FOR MORE SECURITY ALWAYS USE ALL THE METHODS AVAILABLE.
Now, Techie Buzz has brought into light another Conficker removal tool released by renowned anti-virus and security company McAfee. They’ve released a Conficker removal tool by the name Stinger which scans and removes 11 trojans and their variants, including Conficker.
download