Conficker Worm Continues to Spread

Although the worm is spread primarily through business networks, originating with infection of a Windows server, it is possible to get an infection on a home network, or individual PC.

First, it attacks a vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over.

Second, Conficker can attempt to guess or ‘brute force’ Administrator passwords used by local networks and spread through network shares.

And third, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC.

Conficker and other worms are typically of most concern to businesses that don’t regularly update the desktops and servers in their networks. Once one computer in a network is infected, it often has ready access to other vulnerable computers in that network and can spread rapidly.

Home computers, on the other hand, are usually protected by a firewall and are less at risk. However, a home network can suffer as well. For example, a laptop might pick up the worm from a company network and launch attacks at home.

The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm’s attempts to connect to Web sites.

And finally, you can disable Autorun so that a PC won’t suffer automatic attack from an infected USB drive or other removable media when it’s connected. The Internet Storm Center links to one method for doing so at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html, but the instructions involve changing the Windows registry and should only be attempted by administrators or tech experts. Comments under those instructions also list other potential methods for disabling autorun.

The patch (see hyperlink above) is already on your Windows machine if you have kept the system updated. If you have not, head over to Microsoft and patch your system. (If by some chance you are running a Windows operating system prior to Windows 2000, simply not being mentioned in the Microsoft bulletin does not mean that your system is immune. Err on the side of caution, and update your antivirus and antimalware software ASAP. Also, extra caution when using removable media is recommended.)

Remember that this worm can spread in at least 3 ways, and that once your system is compromised, it continues the attack on your machine and any other it can infect.

UPDATE

The worm is, it seems, known by more than 1 name (just in case your software doesn’t know both names!) -

In a blog post, F-Secure security researchers report that the number of machines infected by the Downadup worm has skyrocketed from roughly 2.4 million to over 8.9 million in the last four days alone.

Downadup is a malicious worm that “uses computer or network resources to make complete copies of itself,” according to F-Secure. And it may also include code or other malware that damages both a computer and network. The worm also goes by the names “Kido” and “Conflicker.” Details on how it operates and how to remove it are here.

Once executed, Downadup disables a number of system services, including Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting. The worm then connects to a malicious server, where it downloads additional malware to install on the infected computer. Computerworld provides a more detailed report on Downadup’s potential dangers.

Since Downadup uses random extension names to avoid detection, Windows users should make sure their security software is set to scan all files, rather than checking on specific extensions, F-Secure recommends.

The alarmingly high number of Downadup infections led Microsoft last Tuesday to enable its anti-malware utility, Microsoft Software Removal Tool (MSRT), to detect the worm. So it’s important that Windows users, if they haven’t already, download the latest Microsoft security patch that went out earlier this week.

Don’t get caught unaware.

-