From: Welcome to Business Information Technology .or.ke <kkimson@gmail.com>
Date: 2009/4/3
Subject: Business Information Technology (bit.or.ke)
To: solo.mburu@gmail.com
Business Information Technology (bit.or.ke) |  |
|
How to Protect yourself from the Conficker computer worm Posted: 02 Apr 2009 07:16 AM PDT
Lately we have seen lots of media coverage on how the Conficker worm is going to cause havoc on April 1. The Conficker worm, formally named W32/Conficker.worm, started infecting systems late last year by exploiting a vulnerability in Microsoft Windows. Since then we have seen a couple of variants of this worm and lots of binaries that carry this malicious payload. Conficker.C is the latest variant; it will change the behavior of its “call-home protocol” on Wednesday, April 1st. Conficker may use this protocol to update itself to include some as-yet unknown functionality. Some antivirus companies already offers protection from this worm in its endpoint and network products. Microsoft has also issued a security update to patch the vulnerability that the Conficker family has used to propagate. The following information will give you an overview of the worm, the steps one can take to clean an infected system, and measures to prevent reinfection. What is the Conficker worm? The W32/Conficker worm exploits the MS08-067 vulnerability in Microsoft Windows Server Service. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Machines should be patched and rebooted to protect against this worm’s reinfecting the system after cleaning, which may require more that one reboot. * Upon detecting this worm, reboot the system to clean memory correctly. May require more than one reboot. * The worm often creates scheduled tasks to reactivate itself. * The worm often uses autorun.inf files to reactivate itself. It has been identified thousands of binaries that carry this payload. Depending on the specific variant, the worm may spread via LAN, WAN, web, or removable drives and by exploiting weak passwords. Conficker disables several important system services and security products and downloads arbitrary files. Computers infected with the worm become part of an army of compromised computers and could be used to launch attacks on web sites, distribute spam, host phishing web sites, or carry out other malicious activities. Conficker.C is the most recent variant of this worm and is dependent on its predecessors, the .A and .B variants. Exposure to .C is limited to systems that are still infected with the earlier variants. The virus, called Conficker or Downadup, first appeared in November 08 but has recently become more prevalent, infecting millions of machines by some estimates. Technically it’s a worm, a kind of malicious software that automatically spreads itself from computer to computer. The cyber-security community is up in arms because worms haven’t been an issue for years. Over the course of the decade, computer hackers shifted their techniques away from rapidly spreading worms—people will remember worms like “blaster” and “Melissa” that shut down entire offices for a day or two—towards targeted snippets of code that are harder to detect. The reason: money. Worms are basically a big irritant; code that gets past security software can be used to steal information or make a computer send spam email, both of which command a big price on the black market. Microsoft issued a software update that protects computers from Conficker in October 08. Most anti-virus software will also stop it. The result is that while Conficker is spreading rapidly, it is mainly doing so in parts of the world where people haven’t updated their systems. About 29% of infections are in China, followed by Argentina, Brazil, Russia, and India, according to Symantec. Many of these countries are among those with the highest rate of software piracy, which probably isn’t a coincidence. Less than 1% of infections appear to be in the U.S. according to multiple security researchers. Conficker is, by all accounts, a pretty sophisticated piece of software.According to the Internet Storm Center, which tracks virus infections and Internet attacks, Conficker can spread in three ways. First, it attacks a vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over. Second, Conficker can attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares. And third, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC. Conficker and other worms are typically of most concern to businesses that don't regularly update the desktops and servers in their networks. Once one computer in a network is infected, it often has ready access to other vulnerable computers in that network and can spread rapidly. Home computers, on the other hand, are usually protected by a firewall and are less at risk. However, a home network can suffer as well. For example, a laptop might pick up the worm from a company network and launch attacks at home. The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist to try and stop the worm's attempts to connect to Web sites. And finally, you can disable Autorun so that a PC won't suffer automatic attack from an infected USB drive or other removable media when it's connected. The Internet Storm Center links to one method for doing so but the instructions involve changing the Windows registry and should only be attempted by adminstrators or tech experts. Comments under those instructions also list other potential methods for disabling autorun. The U.S. Department of Homeland Security released a tool to detect whether a computer is infected by the Conficker worm. |
| You are subscribed to email updates from Welcome to Business Information Technology .or.ke
To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Inbox too full?  Subscribe to the feed version of Welcome to Business Information Technology .or.ke in a feed reader. |
|
| If you prefer to unsubscribe via postal mail, write to: Welcome to Business Information Technology .or.ke, c/o Google, 20 W Kinzie, Chicago IL USA 60610 | |