News Search

Home, work computers vulnerable to Conficker Virus

  • Published
  • By Staff Sgt. Josh Hendrickson
  • 319th Communications Squadron
GRAND FORKS AIR FORCE BASE, N.D. --  Conficker is a virus that has proven especially viral in the last few months. While it may seem like an inconvenience now, you can be sure its designers are planning follow-on stages. In its various incarnations, Conficker A, B, B++ and now C, has infected over 12 million Windows computers worldwide since roughly September 2008. Credit for the depth and breadth of infection belongs mostly to us, the users. To that effect, the spread has been called a testament to the stubbornness of users to avoid patching their own computers. If we had all done the simple step of enabling automatic updates, this virus may have never gotten a firm foothold and could never have spread as far and as quickly as it has.

"How do I know if MY computer is infected?" The truth is, you may have no symptoms at all or you may notice that you are unable to get to security related websites. Microsoft.com and links to updating any of your software, Windows operating system or third-party applications, may be disabled by the virus. So let's say you never visit Microsoft.com or security sites anyway. What's the big deal? BOTNET is your answer. Conficker is building a network of robots, or botnet, and is poised to become one of the biggest and most dangerous if not slowed. You may remember the news about Russia's invasion of Georgia last August. Before the invasion, many Georgian government websites were knocked off the internet. It's widely assumed that another botnet named "Storm" was the weapon used to do it, but even now, no one knows who is in control of the Storm. Conficker's controllers are similarly unknown, but they do however have a $250,000 bounty on their heads, courtesy of Microsoft.

Once infected, your computer becomes a willing zombie soldier among legions of other infected computers, all waiting for orders from some clandestine master in the shadows. Once installed with admin access on your computer, it's not your computer anymore; you're only borrowing it until the botmaster wants it. He can pilfer your information or use your computer in Internet attacks on other computers, other networks, companies, or even other countries. What we do know is that the only order Conficker has (for now) is to recruit far and wide by three means:

1. Exploiting vulnerabilities on Windows computers not updated with recent security patches
2. Weak security in home networks and weak passwords allow further propagation. Once infected, the virus downloads some 240 common passwords and begins brute force password attacks on other nearby computers in the network.
3. Propagation via USB-based storage media. Conficker basically does some social engineering to get deeper into your computer. Unless Autorun is disabled (it still isn't by default), when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an option created by Conficker that in reality runs the virus.

So how can we protect against Conficker? It's a tricky virus, but fairly easy to safeguard against. Why? Because it relies mostly on user complacency. It's all about defense in depth; Conficker can be avoided with 4 easy steps.

1. Enable Microsoft Automatic Updates! This is the easiest and most important step.
2. Be sure you have an up-to-date Anti-Virus program running AND that you apply virus definition updates regularly.
3. Disable the AutoPlay feature. You will no longer get the automatic popup window when you plug in a new drive. You may have to click a time or two more to open that file on your flash drive, but you will virtually eliminate the chance of accidently falling for the virus's "Open folder to view files" social engineering attack. It could be argued that watching what you click is a viable alternative. It is solid advice, but not the safest in this case.
4. Setup an account with User level rights as your primary logon when using your home computer. And apply a sturdy password to both it and your computer's Administrator account. Virus or other Malware use the rights of whoever is logged in to do their dirty work. If you're logged on as an Administrator when the virus hits, now the virus is the new administrator. The virus will have a much harder time trying to install itself if you're using an account that does not have rights to install new hardware or software. People hate doing this because you will of course have to log on as an administrator yourself or use the handy "run as" command to do your admin tasks, but you will know exactly when and what is installed on your computer. That is peace of mind.

If you find you already have the virus, try running Microsoft's Malicious Software Removal Tool (MSRT) available from their web site. Other Microsoft solutions and information can be found on Microsoft's support site.

Ah, but if you DO have Conficker it's possible you can't get to any site that contains the words, "Microsoft", "Security", "Support", or "Update" in the URL or many other security sites. In that case, you will have to download a Conficker removal tool from Microsoft or one of the major anti-virus software providers using another computer not infected with Conficker.

To bring home the importance of taking these steps I'll leave you with what some security professionals around the country are saying about Conficker:

"Worms like Conficker not only ricochet around the Internet at lightning speed, they harness infected computers into unified systems called botnets, which can then accept programming instructions from their clandestine masters. 'If you're looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon,' said Rick Wesson, chief executive of Support Intelligence, a computer security consulting firm based in San Francisco."
From NYTimes.com

"'I don't know why people aren't more afraid of these programs,' said Merrick L. Furst, a computer scientist at Georgia Tech. 'This is like having a mole in your organization that can do things like send out any information it finds on machines it infects.'"
From NYTimes.com