Conficker Worm Detection And Removal

By now you might have heard about the latest worm that is plaguing Internet users world wide. It goes by the name of Conficker (or Downadup)and comes in the variants A,B and C with c being the most evolved variant. To put it simple: Conficker uses a Windows vulnerability that was discovered in September 2008 and a patch was released by Microsoft that fixed it. The first worm that used the vulnerability was discovered in November 2008.

Conficker C will initiate a number of processes on infected host systems including opening a random port which is being used in the distribution process of the worm. The worm will then patch the security hole on the computer system that allowed it to attack the system in first place. This prevents other viruses from exploiting the vulnerability while keeping a backdoor open for newer variants of the Conficker worm. The worm will block certain strings from being accessed on the Internet. Domain names making use of those strings cannot be accessed unless the IP is used to do so. Among the strings are various security companies like microsoft, panda or symantec but also generic strings like defender, conficker or anti-. This is to prevent users from accessing websites that contain information and removal instructions about the worm.

While this is surely a nuisance for the user it does mean that the worm itself is not harming the user system in any way other than the methods described above. The real danger comes from the updating mechanism of Conficker C. The worm will try to retrieve new instructions on April 1, 2009. A very sophisticated updating mechanism has been implemented by the author. The worm will generate a list of 50K domain names and append a list of 116 top level domains to them. It will then select 500 randomly from the list and try to connect to them. If new instructions are found on one of the urls it will download them and execute them on the computer system. This process will be repeated every 24 hours.

The easiest way of detection is by accessing a site like microsoft.com or symantec.com and comparing the results with accessing the site using the IP addresses (207.46.197.32 and 206.204.52.31). While this usually gives a good indication it is better to check the computer system with tools that have been specifically designed to detect and remove the Conficker variants.

conficker removal

A few tools that can be used to detect and remove Conficker variants are ESET Conficker Removal Tool, Downadup from F-Secure or KidoKiller by Kaspersky.

Excellent information about Conficker detection and removal instructions are available at Sans.org.

Conficker demonstrates complexity of IT security

With recent coverage in The New York Times, The Washington Post, and 60 Minutes, the sophisticated Conficker worm has become mainstream news. Yes, the underlying concepts may be a bit complex for John Q. Public, but I think this media attention is a great public service. Users need this type of education to better understand the risks associated with Internet connectivity.

Plenty of people have written detailed descriptions about what Conficker is, where it may have come from, and future potential damage. I prefer to focus on the relationship between Conficker and overall IT security. Given its properties, Conficker goes well beyond malicious code and endpoint security. In my view, the Conficker worm provides a microcosm of the complexity of IT security and the pressing need for security best practices. Here are a few examples:

1. Conficker reinforces the link between IT security and operations. Organizations with strong asset, configuration, and patch management processes were probably able to patch vulnerable systems before Conficker first appeared in November 2008.

2. Conficker demonstrates the need for device authentication and port blocking. Conficker uses USB flash drives as a means for propagation. This should serve as a wake-up call to security professionals that USB drives can act as a modern-day “sneakernet” for spreading malicious code or stealing confidential data. Addressing these threats means limiting USB access to authorized drives (through means like the IEEE 1667 standard) while filtering all traffic that flows to or from USB drives.

3. Conficker contains a password-cracking program that can break simple passwords like “1234″ or “password.” This demonstrates the need for strong password enforcement, password management, and even multifactor authentication.

4. Finally, Conficker is an extremely aggressive worm that looks for open file shares on the network to create yet another propagation method. Detecting this activity demands network traffic analysis and an understanding of normal versus anomalous behavior.

It would be easy to simply blame Microsoft for Conficker since the worm exploits an operating system vulnerability. But to me, doing so would be a cop-out. In truth, Conficker exploits a number of technology, process, and human vulnerabilities. In my humble opinion, this is what makes it so dangerous.

Conficker Wrom – Computer specialists are particularly cautious of April 1. not because it’s April Fool’s Day.

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

Although the origin of the name “conficker” is not known with certainty, Internet specialists and others have speculated that it is a German portmanteau fusing the term “configure” with “ficken”, the Microsoft analyst Joshua Phillips describes “conficker” as a rearrangement of portions of the domain name ‘trafficconverter.biz’.

Three main variants of the Conficker worm are known and have been dubbed Conficker A, B and C. They were discovered 21 November 2008, 29 December 2008 and 4 March 2009, respectively.