«
»

Are we in for the worst April Fool’s Day yet?

[Editor's note: Area-Wide Technologies Project Manager Kurt Siegfried authored the following column to inform clients of the potential risk for damaging computer virus infections on April Fool's Day.]

 

April first has always been an interesting day on the Internet.  From sewer Internet Service Providers to ponies taking over major news sites, things tend to land towards the silly end of the spectrum.  This year has the potential to be different in a not so friendly way.  In October 2008, Microsoft released a security bulletin to patch a critical flaw in part of the Windows operating system that could allow code to be executed arbitrarily by an unauthorized third party.  Most customers applied the patch and were protected within a short period of time.

 

However, some larger enterprises typically delay applying Microsoft updates for an extended period of time.  This is a well deserved response to a company that has released many patches that have broken line of business applications, and pieces of its own operating system.  Between these companies, and a large number of home users that either have a pirated copy of Windows, or do not use Windows Update, there were a significant number of unpatched hosts on the Internet weeks, and even months after the patch was released.

 

            Enter the worms…  Conficker, Downadup, two names given to a single set of code that was released into the wild that was targeted at exploiting the vulnerable service.  The initial wave did not require a user to do anything, just have a vulnerable workstation out on the internet.  This initial infection was not damaging, but it did provide a platform for the malicious users behind the infection to launch their second wave of malicious code: Conficker.B. This version was much more robust and worked by spreading itself through USB Flash drives and mapped network drives.  It disabled Windows Automatic Update, and looked for computers with weak or blank passwords on the network that it could spread its infection to.  In addition, it took its defenses a step further by attempting to disable Anti-Virus products on the host computer.

 

At this point there are approximately 10 Million infection computers around the world.  These are being updated to the latest Conficker.C variant of code, which is the most robust version yet.  It has a built in engine to keep itself updated that only accepts code from the original creators.  It checks 500 websites randomly from a list of 50,000 each day for new instructions.  All of this, and it continues to try to spread its infection to new hosts.  While this may seem like the worst possible outcome,  security researchers that have been doing analysis of the worm and infected systems tell us that things will be worse next Wednesday.  Up until now, the computers infected by the Conficker worm have been focused on building a network of infected computers, a botnet.  On April 1st, the computers making up the botnet will begin checking the command and control servers and executing attack orders that they are given.  This can take the form of SPAM, or denial of service attacks, or attempts to bring even more computers into the botnet.  These kind of attacks happen all the time, but the sheer number of infected hosts in this botnet will make things more visible than normal.

 

            So what do we do?  While this sounds like a bleak situation, there is hope.  There are several steps that can limit or prevent the spread of infection altogether.  First, install Windows Updates,  all of them, every month.  They are issued for a reason and Microsoft offers free support for security updates.  Second, use up to date Anti-Virus software.  All of the major vendors have tools that can remove this infection and should be used,  Microsoft has its own tool called the Malicious Software Removal Tool (MSRT).   Finally, use a tool like OpenDNS (OpenDNS Blog) to block access to the worm’s command and control servers.  Using these steps can limit exposure to widespread infection and prevent your network from being part of the problem. 

 

            Once all that is done, you can get back to having a fun and romantic April Fool’s day.

 

Further Reading:

 

Microsoft Security

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

 

Trend Micro

http://blog.trendmicro.com/new-downadconficker-variant-already-detected/

 

The Register

http://www.theregister.co.uk/2009/01/26/conficker_botnet/

Advertisement

This entry was posted on March 27, 2009 at 12:52 pm and is filed under Technical Articles. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.