ESET Threat Blog

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

The Register has reported that it cost Ealing Council, in London (UK) some £500,000 in lost revenue and repairs after a "virus infection" in May. According to El Reg’s John Leyden, the virus in question was Conficker-D, though because of differences in Conficker variant naming, it’s difficult to say exactly which variant that would refer to. Not that it matters very much at this point, I suppose.

According to the Guardian further costs to the Council include:

• 1,838 parking tickets cancelled (total cost of £90,000)
• libraries lost £25,000 in fines and booking fees
• an unspecified amount of council property rent went uncollected (presumably the council expects to catch up with this, but will obviously lose out on revenue in the short term)
• £14,000 spent on clearing housing benefit claims.

The cause of the infection has been traced back to a council employee who plugged an infected USB memory stick of some kind into a PC at work.

Now do you believe us when we tell you that you need to install the Microsoft patches that will stop Autorun executing from most USB devices?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Potentially Abandoned Conficker Grows

According to an article at Internetnews.com http://www.internetnews.com/security/article.php/3832846 the authors of the Conficker botnet may have abandoned it, yet it continues to grow in numbers. The growth of the botnet is troubling because it is completely preventable and because it means the infected computers are vulnerable to other threats and that these users are not using security software that is current.

Conficker spreads through USB devices using autorun. Disabling autorun is a good security precaution. I’ve blogged on it a few times before.

Conficker spreads by exploiting a vulnerability in Windows, except if you patch like you should. Evidently many corporate IT people failed to learn the lessons of CodeRed, Nimda, Slammer, Sasser, BubbleBoy, and a host of other threats from days gone by that were preventable just by applying security patches.

Conficker also spreads through share folders on networks. People need to use strong passwords and protect network shares.

It isn’t really surprising that the authors may have abandoned the botnet as it is encountering significant scrutiny, but it is disappointing that the growth of the botnet is a barometer of the current state of security and it leave a lot to be desired.

Randy Abrams
Director of Technical Education

We all have recently endured a week or so of extensive media hype about a worm called “Conficker”. Phrases such as “One of the worst viruses ever” and other such nonsense were tossed around like promises at a political rally, with about the same level of honesty and accuracy, perhaps even less.

Conficker was already live before April 1st. Conficker remains exactly as threatening today as it was on April 1st and every day before then. Conficker remains a small percentage of the number of threats you need to be concerned about.

To date, despite being one of the more widespread threats, Conficker has been less harmful than many other threats. The most damaging thing Conficker does is to disable security software and block access to security sites. This is something that many other threats do as well.

If April 1 was a date to worry about, then the problem has only gotten worse since then and you should be more concerned now than you were then.

Each day since then several new threats have appeared, they just haven’t captured the imagination of gossip rags like the New York Times and 60 minutes.

Problems such as phishing, identity theft, credit card fraud, spam, and extortion have not subsided. The Conficker worm has not gotten any less dangerous and still is not as dangerous as many other threats out there.

Don’t get complacent now that April 1 has come and gone. Conficker was the least of your legitimate worries. Antivirus is only a part of being secure. As much as you may hate to have to learn more about computer security, nothing but education is going to allow you to make the right decisions to be secure, so yeah, use security software, but become more savvy too.

As I have said before, http://staysafeonline.org is a great place to start. Next week you can check http://www.sdchamber-members.org/TechTip.htm for a tip on how to keep track of your passwords. The article may go up on Monday, but I am guessing Tuesday.

As always, feel free to email me at askeset@eset.com for general security questions. I do not handle tech support there, but I am delighted to help with your general questions.

Randy Abrams
Director of Technical Education

I wondered why a newsletter from “Windows Secrets” got flagged as spam. It is because they have reduced themselves to as much.

Near the top of the newsletter it proclaimed:

Remove the Conficker worm: register now

Conficker is one of the worst viruses in history and has infected over 15 million PCs. We are offering a special 60% time-limited discount to Windows Secrets readers. The Conficker worm went live on April 1st. Protect yourself with ParetoLogic Anti-Virus PLUS!
ParetoLogic Anti-Virus PLUS

Now, this is actually a paid advertisement, but the information is blatantly misleading. The Conficker worm did not go active on April 1. The Conficker worm has been active for months. On April 1 the Conficker worm changed an algorithm, that’s all. The Conficker worm is not one of the worst viruses in history. The worm is one of the most wide spread, but it is not known to have stolen data, as many threats have done. Conficker is not known to have sent spam. Conficker has not been confirmed as participating in DDOS for extortion attacks. Conficker has not been implicated in identity theft or credit card fraud.

When WindowsSecrets.com is willing to publish such sad hype and misleading information for a few bucks, you have to question the validity of any information they publish.

ParetoLogic is a Checkmark certified product, but their blatantly inaccurate and misleading hype is an embarrassment to the entire security industry.

Randy Abrams
Director of Technical Education

I’ve tried to convince you all that you really need to watch out for all of the threats and that it really isn’t worth worrying about Conficker, but if you are still worried about Conficker we do have a knowledge base article you can peruse at http://kb.eset.com/esetkb/index?page=content&id=SOLN2209.

If you apply your security patches, disable autorun, and exercise a bit of caution about what programs you download and open you will avoid the much more harmful threats as well as Conficker.

The knowledge base http://kb.eset.com/esetkb/index?page=home has a lot of other useful information as well!

Randy Abrams
Director of Technical Education

In an apparent effort to cause British commuters to miss their trains, Chinese hackers have ordered the Conficker.C botnet to randomly change the time on the venerable and vulnerable Big Ben. This has caused millions of Londoners to be late for work this morning.

Hey, this is no more ridiculous than trying to protect against Conficker. Why is it ridiculous? Because Conficker is only a symptom of poor security. If you disable autorun you protect against thousands of threats, including Conficker. Your aim should be to prevent the vulnerability, not the exploitation of the vulnerability. If you have strong passwords you protect against lots of attacks, including Conficker. Weak passwords leave you exposed to much more than Conficker. If you keep your operating system patched and your anti-virus up to date you protect against hundreds of thousands of threats, including Conficker.

So, you have an army about to attack you. Do you ask how to defend against a single soldier or do you defend against the army?

The interesting thing about Conficker.C is that by registering 50,000 domains each day it is making a lot of noise. An incredible amount of noise. It occurs to me that perhaps the purpose of this is to draw attention away from another attack. Perhaps Conficker.C is a decoy. Are you going to fall for the decoy or protect against the other 99.9% of the threats out there in addition to Conficker?

Education is essential to security. I recommend you go to http://www.staysafeonline.org and start reading and getting educated. You can also find tips for good passwords, disabling autorun, and other advice from me at http://www.sdchamber-members.org/TechTip.htm.

Randy Abrams
Director of Technical Education

Why watch out for the Honda Accords?  Well, automobile accidents are one of the leading causes of injury and death and Accords are very common cars. This sounds pretty silly, doesn’t it? I mean, wouldn’t it make sense to drive like any car is a potential threat and drive as best as you can to avoid accidents with all cars? Of course it makes sense. Do you eat or take vitamins only to avoid scurvy, or do you not worry about scurvy because you are taking the steps to prevent all kinds of diseases through proper nutrition?

There is a lot of talk about the Conficker worm. A worm that “triggers” on April 1st, except it doesn’t really do too much that is special or of importance to most users on April 1st.  Highly irrational thinking, concerning the Conficker worm is rampant. People see the hype and start to focus on “How do I know if I have Conficker and how do I prevent it?” when the rational approach is how do I make sure I am not infected with anything and how do I make sure I don’t get infected? There are far worse problems out there than Conficker and if you only focus on Conficker then you are diverting attention away from truly being secure. Do you cross the street despite the fact that 1,000 cars that are not Honda Accords are going through the intersection and each can kill or maim you, or do you wait until it is safe, regardless of the make and model of the cars?

OK, for those of you who are taking hype intravenously and no amount of rational thought will bring you comfort, go to control panel and open the Windows Security Center. If it is working you are not infected with Conficker.C. If the Security Center is not working then you may be infected with any of a number of different threats, many may be worse than Conficker. If you are an ESET customer, then call us for free tech support. If you are a customer of another vendor call them for tech support.

April 1st your computer is not going to melt down due to Conficker. The only thing that Conficker is going to do on April 1st is re-route communications links between Italy and France causing worldwide pizza orders to be delivered with snails instead of pepperoni. OK, if I said that on April 1st you would have known it is a joke

Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.

So, you still want to protect against Conficker? Here is what to do.  Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you’re antivirus product is up to date. Your antivirus product should be tested by Virus Bulletin (www.virusbtn.com) and/or certified by ICSA Labs, or have West Coast Labs Checkmark certification. Send me an email at askeset@eset.com if you need help determining this. Exercise caution in what websites you visit and never open attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment and that they also know what it is.  These instructions are not specifically for Conficker, this is simply part of how you protect against all of the threats out there.

It doesn’t much matter what I drive…if I don’t know how to drive safely, no car out there is as big a threat to me as I am to myself.

Get over the hype and practice security, not irrational fear.

Randy Abrams
Director of Technical Education

Around the end of the last decade, when I was working for a research organization in the UK, I used to write a monthly column on security for an in-house newspaper, and was rapped over the knuckles for telling this little story. I’ve probably changed the detail since then: I don’t keep everything I’ve written including shopping lists and notes to the milkman. (Unlike novelist Jack Trevor Story, or so he claimed in one of his more overtly autobiographical books.)

A man goes to collect his motor-car from a hypermarket parking lot  in Helsinki. (Just trying for an international flavour here) As he walks in, he notices one of the market’s employees scattering large clumps of catnip round the car-park perimeter.

"Why are you doing that?" he asks.

"To keep the lions away," the employee answers.

"But there aren’t any lions in Helsinki!*"

"See how effective it is?"

I was talking about Y2K, of course, Common sense suggested that most of the dire prognostications of hundreds of thousands of Y2K viruses and other malicious activity were either taken out of context, misguided or intentional fearmongering, and that as long as you took every possible countermeasure against problems you could predict and anything you could think of that would mitigate what you couldn’t predict, the chances were that it would be OK. As, indeed, it mostly was. And I guess we’ll never know whether all those updates and expensive consultancies were worth the money many of us paid out, because we can’t rewind and try it again without all the outlay.

So here we are again. Another year, another round of prophecies of disaster, a few from the fringes of the AV industry, but most from outside it. Expressions of sympathy here to Graham Cluley of Sophos and Mikko Hypponen of F-Secure, who were "quoted" in a Doom and Gloom story by an English tabloid claiming that "Millions of computers around the world could go into meltdown on April 1 because of a deadly virus." Apparently the journalist concerned didn’t actually bother to contact Graham or Mikko, presumably because he knew they’d be too busy getting ready to rescue all those melting PCs.

The sad thing is that "old guard" researchers like Graham and Mikko, mindful of the over-hyped "media viruses" of the past (Friday 13th, Columbus Day), have actually gone out of their way to present a balanced view of the issue, which I’d probably define as "Take all reasonable precautions, but don’t panic." Whatever happens, it’s unlikely to be as dramatic as expected, like the comparatively few systems affected by the triggering of Michelangelo or CIH/Chernobyl. (By comparatively few, I mean hundreds or thousands rather than millions.) In this case, there may be no immediately noticeable impact at all.

What’s the betting that if there’s no drama, it will be taken as another example of hype from the very industry whose public representatives have been trying to "un-hype" the issue?

By the way, here’s a nice bit of unhyping from Joe Stewart. And it’s nice to see the industry get some credit for "calm-mongering" from Thomas Claburn and George Hulme of Information Week. To pick up on something George referred to, the reason that we don’t know exactly what, if anything, will happen on April 1st, despite having the code to analyse, is that the code doesn’t tell us. I guess that’s exactly what is piquing our curiosity.

* I’ve never been to Helsinki, but yes, it does have a zoo. However, I don’t think it has any large African mammals, as they don’t do well in that climate.

** Why did I get my knuckles rapped? Because the chief librarian*** objected to any hint that her team might not be in absolute control of the situation. A friend of mine was actually fired for talking about how the issue was being addressed in the same organization on a public mailing list, so I guess what saved me was the fact that the article didn’t make it to print. 

*** No, I don’t know why the library were running the project rather than the IT team who looked after the computer systems, or the estates team who looked after the laboratory equipment. Feel free to make suggestions below, but there are no prizes on offer. .

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence.

[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]

I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)

However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted by our labs back in January, but it still applies.

1. Disconnect the infected  computer from the network and the Internet.
2. Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
3. Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
4. Download an  one-off ESET application (again, using a non-infected PC) which will remove the worm.
5. Install the updated anti-virus program.
6. Re-connect the PC to the network and the Internet. 

You might also want to disable Autorun.

Here’s a bit more information about using the standalone utility mentioned in step 4.  

If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC or some form of dumb terminal with a C:\  or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).

• If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
• When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat. It’s more important at this point to check that your AV is installed and updating properly.
• It also mentions a couple of options (-autoclean and -reboot). If Conficker isn’t in memory these aren’t very relevant to you. If it is, you’ll probably want to carry on scanning and respond when the utility prompts you. Those options are more relevant to system administrators and power users wanting to run the application from a script and/or on more than one PC. If you want to use them, you’ll have to use them from the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
• It may not run with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
• I’ve also had someone mention that if the DOS screen comes and goes to quickly to read if there’s no infection. I haven’t been able to replicate that, so have asked for more information. 

If you have further questions on this, please visit the support pages at http://www.eset.eu/support.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence