ESET Threat Blog

I just did some work on a report that quotes some of the various statistics – or do I mean guesstimates? – regarding how many machines were likely to have been infected by Conficker. That report has already gone out, but it’s been pointed out to me that the wording makes it sound like we’re estimating somewhere between 10 and 50 million.

That wasn’t, in fact, my intention: I’m not in a position to hazard a meaningful guess on the real figure, though even the much-cited  guess of 9-10 million at the low end seems high to me, and I’ve heard some estimates in the past few days at around 1 million-1.5 million which seem likelier. However, the nature of the Internet makes it difficult to generate any statistics in almost any context based on unique IP addresses. Due to factors such as fast flux, NAT, dynamic addressing and so on, a straightforward statistic can mask huge variations either up or down. All credit to F-Secure for trying to establish some kind of ballpark figure: they’re braver than I am.

What I can tell you, for what it’s worth, is that in the report I just mentioned Conficker comes out third highest in our "top ten" for January, behind INF/Autorun and Win32/PWSOnLineGames. Does this give us any sort of clue?

Not really. These figures are based on detections of these threats on machines owned by ESET customers: this suggests malware blocked at the point of entry, though a few of them might be machines that were infected before an ESET scanner was installed. It emphatically does not represent a sample of the total population of infected PCs in the world. It does tell us that there a lot of instances of attempted infections taking place, but it doesn’t give us any meaningful way of quantifying the number of machines that are broadcasting them.

So, sorry. I really have very little idea of how many of the billion or so current users of the Internet are doing so from Conficker-infected PCs. Somewhere between1 million and 50 million, I’d say. Or more. Or possibly less.  Would you settle for "quite a lot"?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Well, this actually isn’t a lie, but a lot of what you read on the web are lies designed to steal money or identities. If you go to a web page and it says you need a new codec or new software to view a video or picture, or pretty much anything, the odds are that it is a trick to get you install malicious software (malware) Consider the following story:  http://redtape.msnbc.com/2009/01/post-1.html#posts

You go to your friend’s Twitter, Facebook, Myspace, or whatever web site, and see an urgent plea for help. Your first thought should be that the friend’s account has been stolen. If you needed help immediately, would you really put it up on your Facebook page or would you be doing something else to obtain assistance? Yeah, I can see where someone might use Twitter, but it is a really bad idea to believe such a request is genuine. Remember, for a while all of the accounts on twitter were accessible using an easily guessed name and the password. If you haven’t changed the password on your social networking page in the past 3 months, I strongly encourage you to do so.

Attacks against social networking sites are common. There is also a commonality between these attacks and emails that claim to provide government grants, IRS refunds, and a host of other free or low cost things. In all cases it is essential that you verify the facts before you part with money or any personal information.

The easiest way to hijack social networking profiles is to guess the password. This is because most people use really, really bad passwords. Using poor passwords for your email or other web accounts can put your friends at risk. No matter how obscure you think a word is, it is still easy for a computer to guess the password. No single word in any language is a good password. Always use at least two words if you must use words. It is even better if you use a number as well as a word, and a large number, like 1010 is much better than a small number.

Numbers less than about 895,435,776,880,213,776,992,053 are bad passwords and numbers that large are hard to remember. 123 is one of the worst and most common passwords. 123elephantpig would be a fairly good password, relative to numbers or words alone. Elephant100pig is even better for a password. You can use words and you can use numbers, but use them both at the same time!

Requests for help, threats of legal action, or offers of free things should always be viewed with skepticism and always investigate before acting upon.

If you have any general security questions, feel free to email me @askeset@eset.com, but the address is not for product support, or requests for business relationships!

Randy Abrams
Director of Technical Education

I just happened upon a blog that made an interesting point about the information that’s been made about Conficker. Essentially, the writer was fulsome in her praise of an article by Gary Hinson here, which gave some simple advice on dealing with Conficker/Downadup. As it happens, I’m familiar with the name Gary Hinson: he also contributes to a blog here to which I also contribute occasionally, and has posted some excellent stuff there. In fact, Randy and I wrote a paper for AVAR last year that cites one of those posts (it should be available on our white papers page here soon).

I have to agree that the simpler the better in a case like this. and most people are probably more interested in how to avoid or remove the thing than they are in the complexities of estimating how many infected machines there really are.

(Not that I mean to criticize F-Secure in any way for making that information available: after all, I belong to a community that finds that stuff fascinating. And they’ve certainly provided provided plenty of information more immediately relevant to the man-in-the-street, or perhaps I should say the end-user-on-the-information-superhighway.)

I felt that in this case, Gary had missed one or two essential points and perhaps had slightly oversimplified the issues. So here’s an attempt to be a little less geeky than Pierre-Marc and I were in an earlier post on the topic and boil it down to a more accessible form.

As there’s a great deal of malware around that exploits the autorun facility (autoinfect, as we sometimes rather harshly refer to it round here), it’s an excellent idea to disable it, but to do so effectively is a lot less straightforward than the procedure in Gary’s blog (though even that will lower the risk). Microsoft have revised their procedure for doing so at http://support.microsoft.com/kb/953252, but US CERT’s note at http://www.us-cert.gov/cas/techalerts/TA09-020A.html addresses some weaknesses in the procedure. I agree, though, that if looking at these procedures makes you nervous, you probably need support from someone more confident with PC maintenance.

But there’s a lot more to Conficker than autorun. The main reason that so many -corporate- systems are infected is that they haven’t patched the vulnerability described here, www.microsoft.com/technet/security/Bulletin/MS08-067.mspx  and they ought to be patching MS08-068  and  MS09-001 at the same time. (See the earlier blog for more details.)

There’s also an issue with weakly passworded network shares that will certainly affect many corporate networks, though few home users, I’d guess. Like so much modern malware, Conficker will slip onto your system by any route it can find.

And because many home users will be using free but unsupported AV software, and in any case Conficker tries to stop infected systems from accessing vendor web sites, contacting the vendor may not be so simple. For cleaning purposes, the best option for many will be to get one of the Conficker-specific tools some vendors have made available, which will probably require access to an uninfected machine. Ours is here, but other vendors have similar tools. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I got asked "what is the big trend in security software at the moment".

It seems to me there are several significant threads to the answer, in terms of anti-malware.

• Dynamic and/or behaviour analysis. Dynamic analysis as implemented in mainstream antimalware is basically an automated version of dynamic analysis is used in computer forensics. In general, it’s implemented by running suspect code in a safe environment, to see how it behaves, so it’s sometimes referred to as behaviour analysis. However, strictly speaking, you don’t have to execute code to predict its behaviour, so dynamic analysis and behaviour analysis aren’t quite synonymous. I’ve just drafted a couple of papers related to this topic, so it’s much on my mind: it’s central to a number of initiatives that are about to come out of the Anti-Malware Testing Standards Organization (AMTSO).

• Whitelisting could be said to be a newish spin on an old idea – a sort of cross between reputation services and integrity checking. From time to time, the term Integrity Management has been used to describe something very similar. In very simple terms, it’s the idea that you focus on letting through the things you know you want, and block things that you can’t vouch for, whereas blacklisting means you block what you know is bad (or at least suspicious). In the wider security field, it’s sometimes known as "deny all" – you start by blocking everything and then allow exceptions – or "allow all": you allow everything initially and then build a list of exceptions that won’t be allowed. It’s good practice, but  it’s not always convenient, as Randy Abrams has discussed here before..

• "In-the-cloud" isn’t exactly a definable security trend, though people talk about it as if it is: I see it as the application of distributed processing to more specific technologies. We use a form of it for processing threat data. At least one company is using it primarily to speed up its signature processing, which is a reasonable strategy for a product still focused on that. approach.

Actually, the real story (if there is one) is that mainstream vendors are consolidating a diversity of approaches into single products, which is pretty much what they’ve been doing for decades).

What gives the story interest is that different permutations and implementations work (and may be hyped!) differently.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

MSNBC put up some interesting comment on the Heartland security breach. Since they’ve put some emphasis on the involvement of malware in the breach, it’s worth making a few points.

* Heartland was PCI compliant when the breach occurred. The PCI DSS v1.2 Requirement #5.1.1 states: “Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.” The crux of the problem is that this is *old* wording. “Known types of malicious software” is mostly yesterday’s malware. In this regard, the new PCI DSS spec was out of date before it was even published (Oct 2008).

* In the Dark Reading article regarding this breach, Tim Wilson provided a quote from Palo Alto Networks, "Most security technologies in use today are about looking for the explicitly — and in most cases already known to be — bad. And that leaves a lot of room for error."

* This breach is almost a carbon-copy of the Hannaford Brothers breach in March’08 – malicious software installed on servers which sniffed/intercepted credit card information and forwarded the data to a remote location.

* Heartland directly claims to process 4 billion transactions a year, a significantly larger number than the 100 million transactions a month listed in the various news articles. Although Heartland does more than credit card processing (check management systems, payroll, micropayments, etc.) it was the credit card processing part of their business that suffered the breach. According to the MSNBC article, Heartland publicly stated that about half of its business comes from restaurants. If Heartland is actually doing 4 billion transactions a year, and let’s say half of those are restaurants, then there are 2 billion transactions/year tied, specifically, to restaurants. Just the restaurant business would generate 166 million transactions /month. The final numbers could be staggering since Heartland is the 5th largest card processor in the country. This has the potential to overshadow the TJX breach by a very, very large margin.

On 22nd January, their stock dropped 42% (symbol: HPY). Again, according to the Dark Reading article, if it costs the processor $30/card to replace 100 million cards – that’s $3B in just replacements. Then there are the notices that have to be sent out, investigation and litigation costs, the cost to provide credit monitoring service for those affected and fines/penalties. Needless to say the brand erosion will play a factor in their additional loss of revenue.

This isn’t a “hacker” problem – it’s organized crime combined with incredibly complex and advanced software engineering. The developers writing the highly-targeted malware aren’t hacks – that’s a “yesterday problem”. They’re part of an organized crime ring and as such are criminals, not (just) hackers. The term, hackers, has a watering-down effect on the public and as such should be phased out in the context of organized (cyber)crime.

Jeff Debrosse CSA CC
Research Director, North America

I was recently quoted at http://www.internetnews.com/search/article.php/3798021 regarding Google ad words. Actually, ad words matter to advertisers and to some of the bad guys, but I don’t think the average user pays much attention to whether the result is an ad or what the industry calls an “organic” hit, which is anything but organic and is a highly manipulated result that gets top spots in searches.

I decided to do a little checking, specifically on ad words. Google is trying really hard to make the ad words very valuable for consumers and for advertisers. Google wants the ads you see to be highly relevant to you, and also have a high chance of netting sales for their advertisers.

Stephen Shankland, a reporter for CNET News, sent me this link http://adwords.blogspot.com/2008/08/quality-score-improvements.html that talks about how Google is trying to maximize the value of ad words. So, I decided to do a completely unscientific study of how effective the strategy is.

Perhaps the most prolific spam and scams today are for Viagra being sold by “Canadian Pharmacies”, so “viagra canada” seemed like a great starting point to search. Sure enough, the top hit is for the paid advertising spot for www.viagra.com, the official Pfizer Viagra web site. That is pretty easy, but what about the second hit? CanadaDrugPharmacy.com/Viagra. How do I know if this is a legitimate web site?

Well, I did a little research and found that legitimate Canadian pharmacies should belong to an organization called Ciparx (http://www.ciparx.ca/) Member pharmacies will display the logo of the organization, but anyone can copy a logo and put it on their website. So, I followed the link for CanadaDrugPharmacy.com/Viagra and checked to see if they are members of CipaRX The website displays logos for Ciparx and for “The International Pharmacy Association of British Columbia” (IPA BC)   but the logos were not linked to the organizations. I do not have any information about the legitimacy of IPABC, they may be legitimate. There is a lot of information about CipaRx. You cannot trust a logo on the web site, you need to go to the actual organization to see if the company you are researching is a member.

Before I report my relevant findings, I have to tell you this was a most amusing research project. Did you know there is a “Viagra Professional”? Professional? Is this for porn stars? Seriously, if you are getting paid for something than you are a professional, otherwise it is a hobby or amateur, or something other than professional. Former US Senator Bob Dole did a TV commercial for Viagra. I’m not sure who Pfizer would get to be a spokesperson for Viagra professional…

The next surprise was “Viagra soft”. What is that for? I remember a history teacher who had a can of dehydrated water. This seems like the same kind of joke…

Back to ad words… So, you check your resources. Actually on one of CanadaDrugPharmacy.com’s web pages they do have a linked logo, but never trust the link… type in the site by hand. At http://www.ciparx.ca/pages/verify_membership.html you can verify if a Canadian pharmacy is a member. CanadaDrugPharmacy.com is a member… Good Job Google. The next ad word hit, northwestpharmacy.com is also a member. On the side bar there were several other hits. The first one I tried failed the test… but not because they are not a member, but because the CipaRX site is really picky. CanadaDrugCenter.com passes, but CanadaDrugCenter.com/ fails because of the “/” at the end. If you leave the “www.” at the front you will also fail to get the right results.

Many of the side bar hits were not Canadian pharmacies, but the ones that did come up seemed legitimate. It appears that despite there being some problems with Google ad words, there is a fairly high degree of success in their program. What do you need to know about ad words? Do not ever trust the results. The idea is to help narrow your search, but you still need to investigate any vendor you consider doing business with. A logo on a web site is not proof of certification. You need to manually type in the URL (address) of the certifying body and make sure the site is a member and that the certification organization is legitimate. It is easy for me to set up a site that says I certify pharmacies. It doesn’t mean it is legitimate. In the case of CipRX, there is a lot of information that would lend credibility to them… but you have to look for it before you trust them.

So, why are the Canadian pharmacies so attractive? Money, of course. It isn’t just Viagra. Lipitor, a cholesterol medication is about $300 in the US for 90 doses, where it is about $150 for the same supply from Canada. Viagra is not sold as a generic in most of the world (until 2012) and is about $15/ tablet, but a generic in Canada is less than $3. Paxil, used to treat depression, a very common drug is about $2.75 per pill in the US and $.75 in Canada.

People who don’t do their research pay for useless or even dangerous substances when they order on-line. Many are quick to assume that it is only greed by the pharmaceutical companies that prompt them to issue warnings of buying online, but consider this article http://www.signonsandiego.com/uniontrib/20050121/news_1n21bluepill.html

I had the pleasure of speaking to a contact at Google about the problem. I did receive an official comment from Google which is as follows:

"We understand that the abuse taking place through online pharmacies is a serious issue. Google has been heavily engaged on this issue, working with government agencies through both education and our Google Grants program. We also work with a third-party verification system that certifies for us that any party bidding on pharmaceutical related keywords is a licensed pharmacy associated with a licensed pharmacist in that state. Google plans to continue working with industry experts in order to help eliminate this online abuse."

I used Google to search, but the problem is Internet-wide and certainly not a “Google Problem.” I suspect you may find worse results with other search services.

The lessons go far beyond Viagra, ad words, and Google. Always investigate the online retailer you consider doing business with.

Randy Abrams
Director of Technical Education

Postscript… One of the hits on Google was for http://www.vigrxplus.com. This is a deliberately deceptive site. It doesn’t say “Viagra plus” it says “vigrRX plus”. When you try to leave the site it asks you to chat with a “live agent”. In fact the agent is not live and is a chatbot. Conclusion… Vigrxplus.com lacks integrity. Their dishonesty is blatant. They are also a high level hit on Ask.com as well as on Google.

…no promise of chicks for free, but I did get spam this morning offering me a "Free-Trial kit" for some scheme for "making money through the Internet by doing almost nothing" (probably some sort of pyramid scheme, I guess, updated with a reference to using Google).

While I’m not about to take up the offer, I always appreciate a sharp piece of social engineering. On this occasion, the main hook was that the "sender" (who knows who really sent this thing out?) had tried out the kit "herself" when worrying about impending redundancies in her day job. As it happens, this ties in rather nicely with something someone asked me about earlier in the week. Earlier in the week, Richard Adhikari published an article about a reported increase in financial scams where the current recession (well, where I am it’s now officially a recession…) is used as a hook to scare potential victims into falling for a scam.

Much of that article focused on 419 scams. Advance fee fraud (especially 419s, i.e. lottery scams, job scams, and please-let-me-give-you-some-of-Saddam-Hussein’s-fortune type scams) is certainly prevalent, and some of it does seem to be a little more professional than it was. In fact, some 419 gangs have always been quick to seize on topics of current interest and twist them into a scam, and while the language and presentation has tended  to be stereotyped and instantly recognizable to the experienced eye, they’re clearly still enjoying a lot of success.

But my impression is that phishers, stock-fraud gangs and mule-recruiters have been at least as adept at exploiting the current economic uncertainty, and have also polished their presentation skills. They also make more far more use of technology (drive-by exploits, malware…) where 419-ers are still largely reliant on social engineering (or old-fashioned conning…) rather than technology.

What is for sure, though, is that what is being reported (and I’m certainly seeing) is a logical development: a  scammer with a brain and no heart is likely to seize upon an issue like global recession that affects (and frightens) everybody, and use it to bait his hook. What’s more, I think we can assume that this particular hook will remain in use as long as there’s a recession to exploit. However, scammers of all persuasions will climb just readily onto any other high-profile bandwagon that comes along.

While I don’t know whether scammers in general target their intended victims very specifically at the moment (419-ers certainly don’t seem to, usually), my guess is that their best “markets” at the moment will be (1) people scared of future crashes, redundancies etc. trying to future-proof their finances by various forms of investment (2) people who’ve been badly burned but have enough capital left to try something new.

There has been very specific targeting of potential victims in terms of intelligence hacking for some years now, and it seems logical that as the general level of public awareness of phishing scams and the like slowly rises, scammers will consider ways of improving their targeting and ROI. This is in accordance with the general “professionalization” of cybercrime in recent years, which makes increasing use of the same business models that legitimate businesses do.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

“What hath God wrought?” were the contents of the first ever telegraph message. http://memory.loc.gov/ammem/today/may24.html

An ominous message that would seem to reveal that Samuel Morse understood some security implications of technology, except, it was his friend’s young daughter who appears to have suggested the biblical verse. Perhaps “What hath God wrought” would have been a better first ever computer message. Rather than “Operating system not found”, “What hath god wrought” would have been a better message! Microsoft would have been well advised, back in 1997, to display a message “What hath god wrought?” rather than “This document contains macros. Enable or Disable”. We see the technology abused on a scale that would have been unimaginable to Morse. Still, there are incredible benefits.

In the doom and gloom that makes up the daily grind of security blogging and news reporting we usually overlook the great things that technology brings.

My wife’s grandmother has a Presto (http://www.presto.com/) email machine. She can’t send email from it, but an effective whitelisting technology blocks spam and viruses and allows us to send her emails and pictures from all over the world. She loves receiving news of what and how her friends and relatives are doing. All of this without the need for technical expertise or security education.

Social networking sites allow us to meet people from all over the world. When I was 18, the cost of communicating with a person half way around the world was prohibitive. The viable options I had were expensive phone calls, inconvenient, and still costly visits to Western Union, where my remote friend may not have the money to return a message, and affordable, but slow post. Today I can IM with people who have access to computers and email, even though they may live on a very small income. Just today I was chatting with a friend in Turkey on IM and got this wonderful offer:

“if you happen to visit my hometown or Istanbul, I’d try my best to offer accommodation and free tour ”

What an amazing thing that the internet helps create cross cultural friendships and can help us to learn about different cultures.

Thanks to technology, my friends and I can record songs we have written and share them. We can take pictures of beautiful places and share them. There are tons of wonderful things that technology brings us, but we mostly hear about the problems.

It really isn’t the intent to focus on the negative, but by pointing out the problems we hope to help people to avoid trouble. Just the same, mental health experts teach that it is important to appreciate, to be grateful for the good things we have. So, as you read the blogs and news articles that spell doom and destruction, remember to also think of the wonderful benefits your computer brings you. You’ll be much happier if you can learn to avoid problems, but also take some time to appreciate blessings.

Randy Abrams
Director of Technical Education

[Update: Spiegl Online reports (in German!) that the total may be as high as 50 million infected machines: however, this figure seems to be extrapolated from the number of infections picked up Panda's online scanner. Statistically, I'm not sure it makes any sense at all to try to correlate this self-selecting sample to the total population of online  machines, though. (Thanks, Andreas, for drawing my attention to this item!) By the way, our own online scanner is here.]

9.5 million and climbing. PCs infected by Conficker (Downadup), that is, at least according to some sources. Some doubts have been expressed about how accurate F-Secure’s calculation is or can be, but as the company have made quite clear, there are many factors that complicate the calculation. Nonetheless, it’s clear that there are very high volumes of infected machines out there, though there are signs that the number has started to level off, so it’s unsurprising that it’s attracted so much media attention.

Since its appearance last autumn, our research teams around the globe have been paying close attention to this threat.  Before we share a little more information on some of the malware’s less widely publicized characteristics, though,  let’s stop panicking about the sheer size of the numbers and get back to trying to reduce them. Conficker makes use of a wide range of attack vectors, so here are some approaches to stopping some of the holes.

First of all, of course, use good antimalware programs (we can suggest a particularly good one!), but don’t expect them to give you absolute protection, no matter what you do.

Obviously, systems with up-to-date anti-malware are less likely to fall prey to a Conficker variant than systems that are inadequately protected. Like other companies, we’ve been detecting the many Conficker variants for some time, and regularly have been updating our detections (signatures and heuristic) regularly as more information on new variants come in. The real Conficker story was topical between its discovery in October and the beginning of this year when we were working on more effective ways to detect this threat in memory and to clean it.  This is a sophisticated, complex threat, and it was necessary to create specific algorithms to address it fully, but up to now, detection has been pretty effective. 

However, Conficker variants have gone way out of their way to hide from antimalware: for instance, by blocking domain names incorporating strings that suggest antimalware resources or companies. So it may be necessary to access updates or a Conficker-specific cleaning tool from a known clean machine.

One of the approaches Conficker takes to infection is to exploit the vulnerability described by Microsoft in their bulletin MS08-067, so patch vulnerable machines. (If they’re already infected, they’ll need to be cleaned first.) Another interesting characteristic is that it may patch infected systems that are vulnerable to the MS08-067 vulnerability.  (Since it uses multiple infection vectors, not all infected systems are unpatched.)

The MS08-067 vulnerability is present in the netapi32.NetpwPathCanonicalize function from netapi32.dll.  An out-of-band patch was released by Microsoft on October 23rd last year, intended to fix this problem, but a lot of organizations still haven’t applied the patch to their systems.  This is either because system administrators did not apply the patch in good time, or because home users are afraid to update because they are using pirated versions of their operating system. However, Win32/Conficker patches vulnerable systems by modifying the function containing the vulnerability and adding a jump at its beginning to jump to memory that has been allocated by the worm. (We assume that this is to “spoil” the chances of other malware using the same exploit, rather than a gesture of goodwill by Conficker’s author.)  In this memory area, the worm has copied a patched version of the function.  Since the vulnerable function is self-contained, meaning that it doesn’t need to access any data other than its parameters, this technique is both stable and easy to implement.  We recommend that you re-patch once the system is clean, rather than rely on the efficacy and persistence of the worm’s patching routine.
Clearly, not enough people (especially corporate organizations, it appears) have been patching in a timely manner.  Where a machine is already infected, automatic updating is likely to be disabled (whether by the system owner/administrator or by malware), so you need to (a) understand the problem (b) take appropriate steps to remove the infection. You can’t fix/clean an infected machine simply by patching it: you need to disinfect it first. If you have machines that are uninfected but don’t have the patch, now would be the time to fix that. For some in-depth information on hot patching the MS08-067 vulnerability, please refer to the following web site: http://www.nynaeve.net/?p=226. You might want to apply MS08-068  and  MS09-001 at the same time. 

However, there are other factors such as weakly passworded admin shares (see, for instance, http://news.bbc.co.uk/1/hi/technology/7832652.stm). The worm attempts to access local network shares using a dictionary attack to try really basic login passwords/credentials. In a corporate environment, it makes sense to close admin shares and network-mounted drives while disinfecting, so that cleaned machines aren’t immediately reinfected, and ensure that strong passwords are in use before re-opening them.

Martin Overton made some useful suggestions on an AVIEN mailing list for restricting the spread of the infection over a network, including setting up SMBLure (see http://www.utdallas.edu/~pauls/smblure/ and http://momusings.com/papers/VB2003-Worm_Charming.pdf) to track machines broadcasting infected files to open shares, and using a Snort signature to block malcode with a known MD5 value. Martin is rather handy at using Snort signatures as an anti-malware tool, and has made available (along with other resources) one or two very nice papers on the topic. at http://momusings.com.

Conficker also makes heavy use of the Autorun facility in Windows. We’ve been pointing out for years that this is a facility that should be disabled by default (malware that exploits it is one of the most consistent problems flagged by our Threatsense.Net tracking system). It’s certainly a good idea to disable it at least temporarily while cleaning systems, to cut down on the risk of reinfection. We are pleased to note that Microsoft have now revisited the process for disabling it – see http://support.microsoft.com/kb/953252. However, US-CERT  have an excellent technical note on the process at http://www.us-cert.gov/cas/techalerts/TA09-020A.html.  While The Register is scornful of its high geek content we recommend  the SyS:DoesNotExist solution described in the US-CERT’s bulletin rather than Microsoft’s. Martin also remarks that HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 key needs to be removed, before rebooting the system: otherwise, USB devices used before will still autorun (also addressed in the US-CERT bulletin).

Pierre-Marc Bureau and David Harley
ESET Research Team
(Tip of the hat to Martin Overton for his input to this blog.)