Conficker: The threat that IS.

As many IT pundits, news analysts, and random people stated on April 1st "Conficker was a joke".

Honestly, it wasn't. Conficker was a cleverly designed worm, that had the capacity to update and redistribute itself when needed. While the microsoft patch fixed some parts of Conficker, it did nothing to stop it from hurting an already infected computer.

Conficker.D was released shortly before the April 1st mark, and basically was the setting tone for Conficker.E. This iteration mainly focused on killing the DNS lookup on the computer, as well as killing safe mode, and auto-updates.

Conficker.E has several qualities. It still retains the ability to update itself, but at the same time it now produces "fake alerts", which prompt the user into purchasing software to remove the fake alerts. This is fairly common practice in the "malware" world, however Conficker also does one other thing. The authors are selling the computers that are infected to spammers globally, to use those computers to send spam out. This will spread the worm further, and will likely cause more issues in the near future.

This worm is smart, and IT resources MUST keep on their toes to protect their users. Mail scanners are being updated, and supposedly Yahoo and Google have already updated their filters to catch Conficker emails. But the fun doesn't stop there. Conficker can continue to update itself, and as it spreads, it can also spread over network connections, shared files, and other types of connection/sharing. So just how would a worm like this spread to a secure network?

The average end-user doesn't usually think about computer security. For an IT person, this means trouble. End users have access to all sorts of portable media now. Flash drives, CD RW's, you name it. So what happens when Mr. End User decides to bring some of his pictures of his kids into work on a flash drive, or camera SD Card to show off at the office.

We must be persistant in training our end-users to not do this! Honestly, I've seen IT shops disable the front USB ports on computers to discourage it before. (Simple as unplugging the plug inside the computer on the motherboard).

According to one site, the worm is capable of spreading to any flash media. That also includes iPods, Zune's, and many other commonly connected devices. So don't go sharing your ipod to your friend's computer!

So in conclusion:

• Conficker A/B/C were mainly used for distribution. They disable auto updates but nothing too malicious from these on the frontend.
  

• Conficker D : Disables security software, kills dnsapi.dll, disables safe mode, disables auto update, blocks dns lookups (via dnsapi.dll)

• Conficker E : Exploits NETBIOS and uses it to push updates to other computers, disables auto update, blocks dns lookups, kills security software, downloads and installs Waledac spambot (connections are sold later to spammers), downloads and installs the scareware (fakealert) SpyProtect 2009, removes itself May 3rd 2009.

So how do we protect ourselves? Conficker is still a program. As security software and experts work ways around it, it will be circumvented. However, the safest way to get around it is in a Preboot Environment. This will allow you to repair the damage and then undo the changes made to safemode and other software. Downside? Most preboot environments aren't stable enough.

The short answer: Conficker will likely require you to reinstall windows fresh.
The long answer: it can be removed, but the methods aren't completely sound yet.

We'll talk next time about how worms spread and what makes a worm a worm.

Are you infected? Find out here: Conficker Eye Chart