Last-minute Conficker survival guide

[boomer]

http://tech.yahoo.com/blogs/null/132464


Tomorrow -- April 1 -- is D-Day for Conficker, as whatever nasty payload it's packing is currently set to activate. What happens come midnight is a mystery: Will it turn the millions of infected computers into spam-sending zombie robots? Or will it start capturing everything you type -- passwords, credit card numbers, etc. -- and send that information back to its masters?

No one knows, but we'll probably find out soon.

Or not. As Slate notes, Conficker is scheduled to go "live" on April 1, but whoever's controlling it could choose not to wreak havoc but instead do absolutely nothing, waiting for a time when there's less heat. They can do this because the way Conficker is designed is extremely clever: Rather than containing a list of specific, static instructions, Conficker reaches out to the web to receive updated marching orders via a huge list of websites it creates. Conficker.C -- the latest bad boy -- will start checking 50,000 different semi-randomly-generated sites a day looking for instructions, so there's no way to shut down all of them. If just one of those sites goes live with legitimate instructions, Conficker keeps on trucking.

Conficker's a nasty little worm that takes serious efforts to bypass your security defenses, but you aren't without some tools in your arsenal to protect yourself.

Your first step should be the tools you already have: Windows Update, to make sure your computer is fully patched, and your current antivirus software, to make sure anything that slips through the cracks is caught.

But if Conficker's already on your machine, it may bypass certain subsystems and updating Windows and your antivirus at this point may not work. If you are worried about anything being amiss -- try booting into Safe Mode, which Conficker prevents, to check -- you should run a specialized tool to get rid of Conficker.

Microsoft offers a web-based scanner (note that some users have reported it crashed their machines; I had no trouble with it), so you might try one of these downloadable options instead: Symantec's Conficker (aka Downadup) tool, Trend Micro's Cleanup Engine, or Malwarebytes. Conficker may prevent your machine from accessing any of these websites, so you may have to download these tools from a known non-infected computer if you need them. Follow the instructions given on each site to run them successfully. (Also note: None of these tools should harm your computer if you don't have Conficker.)

As a final safety note, all users -- whether they're worried about an infection or know for sure they're clean -- are also wise to make a full data backup today.

What won't work? Turning your PC off tonight and back on on April 2 will not protect you from the worm (sorry to the dozens of people who wrote me asking if this would do the trick). Temporarily disconnecting your computer from the web won't help if the malware is already on your machine -- it will simply activate once you connect again. Changing the date on your PC will likely have no helpful effect, either. And yes, Macs are immune this time out. Follow the above instructions to detect and remove the worm.

[Dzielak51]

How do you know this is just not a threat for an April fools joke?

[Stretcher75]

I think this was a hoax for today... I haven't heard anything on it today. Or it has not been activated as of now...

[boomer]

How do you know this is just not a threat for an April fools joke?

I am sure somebody thinks it is funny I am not one of them.

http://www.pcworld.com/article/157876/protecting_against_the_rampant_conficker_worm.html

Jan 16, 2009 2:31 pm
Businesses worldwide are under attack from a highly infectious computer worm that has infected almost 9 million PCs, according to antivirus company F-Secure.

That number has more than tripled over the last four days alone, says F-Secure, leaping from 2.4 million to 8.9 million infected PCs. Once a machine is infected, the worm can download and install additional malware from attacker-controlled Web sites, according to the company. Since that could mean anything from a password stealer to remote control software, a Conflicker-infected PC is essentially under the complete control of the attackers.

According to the Internet Storm Center, which tracks virus infections and Internet attacks, Conficker can spread in three ways.

First, it attacks a vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over.

Second, Conficker can attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares.

And third, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC.

Conficker and other worms are typically of most concern to businesses that don't regularly update the desktops and servers in their networks. Once one computer in a network is infected, it often has ready access to other vulnerable computers in that network and can spread rapidly.

Home computers, on the other hand, are usually protected by a firewall and are less at risk. However, a home network can suffer as well. For example, a laptop might pick up the worm from a company network and launch attacks at home.

The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm's attempts to connect to Web sites.

And finally, you can disable Autorun so that a PC won't suffer automatic attack from an infected USB drive or other removable media when it's connected. The Internet Storm Center links to one method for doing so at http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html, but the instructions involve changing the Windows registry and should only be attempted by adminstrators or tech experts. Comments under those instructions also list other potential methods for disabling autorun.

    * See more like this:
    * security,
    * viruses,
    * worms,
    * patches & drivers

[boomer]

http://www.pcworld.com/article/162381/conficker_dday_arrives_worm_phones_home_quietly.html

The Conficker worm today has begun to phone home for instructions but has done little else. Conficker was programmed to today begin actively visiting 500 out of 50,000 randomly generated web addresses to receive new instructions on how to behave. Conficker has begun to do this, according to security company F-Secure, but so far no doomsday scenarios have emerged. Among security experts, the consensus seems to be that very little will happen today. This may be in part because of the high amount of publicity Conficker has received, but then again April 1 is not the first time Conficker has been programmed to change the way it operates. Similar trigger dates have already passed with little change, including January 1, according to according to Phil Porras, a program director with SRI International. Security experts at Symantec, the maker of Norton Antivirus, also believe the threat is overblown and says Conficker today will "start taking more steps to protect itself" and "use a communications system that is more difficult for security researchers to interrupt." Technology companies and experts across the globe have been working together to halt the spread of Conficker, disrupt its communications and uncover who created the worm. Microsoft has even issued a $250,000 bounty for information leading to the arrest and conviction of Conficker's authors. Despite the security sector's best efforts, very little is known about the origins of Conficker or its purpose. Nevertheless, some breakthroughs have been achieved. On March 30, Security experts with the Honeynet Project discovered a flaw in Conficker that makes it much easier to detect infection. IBM researcher Mark Yayson also believes he has discovered a way to "detect and interrupt the program's activities," according to The New York Times.

Since the Conficker worm was discovered in October 2008, the malware has only received programming updates from its author and worked to infect other computers. Conficker is believed to have infected 10 million computers worldwide mostly in Asia, Europe and South America. According to IBM, only 6 percent of North American computers have been infected.

While today may be a non-event, Conficker could be used to create harm in the future. Possiblities include a massive botnet, which would give Conficker's authors control over millions of computers worldwide. The botnet could then be used to attack corporate or government networks, commit identity theft, or deliver massive amounts of spam. Security experts warn that all Windows users must make sure their operating system and antivirus programs are up to date with the latest patches and virus protections. So far, Windows is the only operating system known to be vulnerable to Conficker.

For more information on how to protect yourself consult PC World:

[boomer]

Googling for Conficker clean-up information? Be careful



If you’re trawling the Web for information on disinfecting the Conficker worm,  be very, very careful.

Cyber-criminals are latching onto the hype around the Windows malware threat and have started registering domain names linked to Conficker and poisoning search results to trick users into installing fake anti-virus software programs.


According to this growing list maintained by the Conficker Working Group, at least one of the domains is actively serving malware.  F-Secure dug into one of the domains and found an a rogueware (fake anti-virus) campaign attempting to bilk users out of $39.95 for non-existent Conficker clean-up.

Yesterday, just hours after the release of enterprise scanning tools to help fingerprint the virulent worm, search results on Google were poisoned to serve malware for queries related to that news.   In one instance, the top Google result for “nmap conficker” was serving up a redirect to a drive-by download exploit site.

Trend Micro has additional details.

LMAO 250K is nothing if they really wanted to know they offer some real Money

http://www.pcmag.com/article2/0,2817,2341012,00.asp

Microsoft, several security firms, and members of the academic community came together Thursday to try and develop a coordinated plan to halt the spread of the Conficker worm, also known as Downadup.

Microsoft announced a $250,000 reward for information leading to the arrest and conviction of the Conficker author or authors, available to anyone in any country, subject to local laws. Meanwhile, a group of security companies pledged to work together to disable domains targeted by Conficker.

Conficker's spread has been astonishing. The Houston, TX police department had to stop arresting some people because of a Conficker outbreak throughout municipal computer systems. And infections in French military computers were so bad that fighter planes were grounded.

so far not much has happened. but if I had control of 9 plus million computers. I would have told them to wait 10 or so days. then hit every bank account I can find for $1.00 once a month. make it look like a atm fee or something. most people would never know they got robed for a buck and your making $108 million per year. now if you want to be greedy hit them for 5 bucks a month

[boomer]

Also if you think you may have this worm try starting your system in SAFE MODE. if it fails you may have it if it does start in safe mode your ok



"try booting into Safe Mode, which Conficker prevents, to check"