Protect yourself from Conficker

By on

conficker

On April 1, a variant of a potentially dangerous computer virus was set to be activated and its name is Conficker. However, no reported damage has occurred, even though the date was mentioned in the makeup of the variant in the first place.

Conficker, however, is still a potential threat to everyone, and you need to know how to protect yourself from the worm, as reports of another variant has emerged this week.

What is Conficker?

So what is the entire tech community scared about? Well, Conficker, also known as Downup, Downandup and Kido, is a computer worm that infects your computer and then spreads it to your network without any human interactions.

The worm basically exploits a security hole (MS08-067) in the Windows Server Service protocol that is used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and the latest beta of Windows 7. Because of the wide number of operating systems, with a majority of computers using at least one of the named operating systems, security researchers are fearing the worst.

An estimated range of 9 million to 15 million computers have been infected, though a minimum estimate is said to be around the 3 million mark. But, all experts agree that this is the worst infection since the SQL Slammer, where it slowed down the entire general internet traffic on January 25, 2003 at 5:30AM London Time, exploiting a hole in the SQL Server product.

What do we know about it?

diagram

There have been four reported cases to Microsoft, with the second version, Win32/Conficker.B, has been known to be spread via file sharing and removable drives; with another potential variant in the wild. Conficker is known to stop several other services, like Automatic Updates, Windows Security Center, Windows Defender and Windows Error Reporting.

We also know that the virus is spreadable to not only via USBs, but via networks either at home or at work. At the current information handed to us, the Conficker worm is targeting those who do not update to the latest patches offered by Microsoft, and admit it – we all think that we are safe because of our anti-virus; but we need to have both our operating systems and our anti-virus updated to provide a maximum protection against it.

Using a peer-to-peer connection or HTTP connection, it downloads updates that instructs it to propagate, gather personal information like bank numbers, etc. and/or download additional malware on the victim’s computer. It also attaches itself to processes like svchost.exe, explorer.exe and services.exe. It also resets System Restore points, meaning that if you restore your computer, you will still be infected by the virus.

Image from: Microsoft

What is the IT industry’s response?

The industry’s response has been targeted in find ways to prevent and find those responsible. Microsoft, on the 12 February of 2009, established a global coordinated effort against the work, with members including Afilias, ICAAN, Neustar, CNNIC, AOL, Symantec, F-Secure, Cisco and Facebook.

Microsoft also announced that it will be offering a US$250,000 for any person who can provide information that could lead to the arrest and conviction of the individuals behind the creation and/or distribution of the worm.

How can I protect myself?

To protect yourself from Conficker, you must update your operating system and get the emergency patch so that it can plug the hole in the Windows Server Service protocol. If you recently updated your computer, check your download history to make sure you downloaded either:

If you haven’t updated your computer to include this patch, then we recommend that you do – or just download the patch itself directly by clicking on the links above. If you are using Windows XP Service Pack 1 or below, then we suggest you upgrade to Windows XP Service Pack 3 (which also includes Service Pack 2) before installing the patch.

As well, we suggest that you update your anti-virus systems regularly, so that new virus definitions can be introduced to your anti-virus application. Also, don’t pirate your anti-virus systems – that is the only thing you must need to get and pay for!! As well, there are free anti-virus tools from trusted sources. You can find them at CNET Download.com, and here on TECHGEEK.com.au soon.

Because of the nature of Conficker.B, we also suggest that you turn off AutoRun off. The United States Computer Emergency Readiness Team (US-CERT) has published guides on how to turn off the AutoRun property, but it also requires you to go into the registry, which is potentially risky – so back up your registry and all your data and make a System Restore point.

Microsoft, also, has published guides on how to turn this off – but again, you will need to download a security update to do this.

How can I tell if I am infected by the virus?

image

Before you do anything to protect yourself, you must make sure that you are not infected first. To test this, you can go to the Conficker Eye Chart to see if you are infected. For you to not have been infected, you must see the three logos at the top (like above). This is because the virus blocks access to any security vendor’s website, meaning that you should be able to see all three at the top if you are not affected.

If you only see the one in the middle, you are possibly infected with Conficker.A or Conficker.B. However, if you can’t see any of the top – then you are infected with Conficker.C or greater.

If you can’t see any of the images, top and bottom, then you might have images blocked by the browser itself. Make sure that you deactivate that before testing. As well, if you can see any other combination, like seeing two on the top, and one from the bottom – then your internet connection must be weird.

OK, I’m infected. Now what do I do?

If you are infected, then get off your computer right now! We are not saying that you should abandon it, but you must go to another computer that is not infected. We suggest that you go on a computer that is away from your network – meaning that any other computers that are located in your home, school or business are potentially infected as well, depending on the variant of the worm. In other words, go to a computer that belongs to your friend.

The only reason why we are asking you to go on another person’s computer is that the potential risk of not getting the patch, since the virus blocks security websites, is eliminated. As well, bring along with you a blank CD/DVD, SD Card or a USB stick to carry it – and make sure it hasn’t been infected with the virus itself.

Now, we need you to download one of several free removal clients which can scan and remove the virus completely. DO NOT DO A GOOGLE SEARCH ON FINDING THE SOFTWARE! The last thing we want is to allow you to download a fake copy that could also infect the computer with a different virus, or make it unstable. TECHGEEK.com.au, however, has compiled a list for you so you don’t have to Google it.

Security Vendors like Symantec, McAfee, Eset, Kaspersky Labs, and Sophos have issued tools to clean up the infection. As well, Microsoft have issued an update to its Malicious Software Removal Tool, which can be downloaded from Microsoft’s Download Centre. A full list of tools can be found DSHIELD, where removal instructions, remote anti-virus scanning and removal tools are available.

What happens now?

The short answer is, well, we don’t know. There is no conclusive evidence on how it will affect us now and on the future. The potential download of more information was supposed to happen on April 1, but that didn’t happen. Because of the mass speculation, the entire industry are saying that you should patch your computers to lessen the risk of it becoming spread to your computer.

No one, not even me, the security vendors and Microsoft, has a clue what kind of damage it will do. Stealing data, sending spam and do distributed denial-of-service-attacks (DDoS) are the more likely things that the virus would do, but it is still unknown at this point.

Some of you are considering turning off your computers right now, aren’t you? Well, the sad truth is that the virus can be up for months on end, because it keeps updating itself. As well, if it keeps updating, there might be more holes that it can exploit through – thus repeating the cycle that if you aren’t protected, you are more likely to be infected because there is a security hole in the operating system.

Either way, Conficker may come down in history as the virus that managed to whip up the public in such a frenzy.

TECHGEEK.com.au cannot be held responsible for any problems when you click on the following links provided in the article. The links were based purely on a good-faith basis, using numerous resources. Click at your own risk.