Conficker is Alive (and Well)!!!!

Conficker, aka Downadup seems to have awoken and has become active.  After the hype created on April 1st, it appears that the worm has waited 1 week, as on Wednesday April 8th it reared it’s ugly head.  We all new that a piece of code that is so expertly written, albeit devious at the same time, was not just going to sit there and do nothing.  It now appears that things are starting to happen.

On April 12th, the University of Utah confirmed that their network was infected with the a variant of the worm. The worm was first detected on Thurday, April 9th and by Friday had infected more than 700 systems, including those of their 3 hospitals.  Conficker, which will slow systems down is also capable of erasing data, and stealing personal information.  University Officials confirmed though, that personal medical information at the hospitals are secure and that nothing has been compromised.  As a security precaution however, the university did shut down all internet access, to some campus locations, for up to six hours on Friday, in order to isolate the worm.

Conficker is also responsible for a new rogue scareware tactic known as Spyware Protect 2009.  This is an old money making scheme in which a pop-up will appear warning of dangerous malware on your computer.  And for the bargain price of $49.95, it will remove it.  The sinister thing is that the removal tool is the worm and by entering any credit card information onto it, the scammers will be laughing all the way to the bank……YOUR BANK!!!!  Please do not fall for these scams.  Remember, a web site cannot tell whether your computer is infected with malware.  Here is a good TIP to show you how to tell the difference from scams and legitimate warnings.

Conficker has also been seen to have direct connections to the Waledac Trojan which leads me to believe that Conficker is also sending or planning on sending a large amount of spam from it’s Zombie computer network.  The funny thing about the Waledac (aka Storm) Tojan though, is that it propagated very well in early 2009, but has sent relatively few spam messages.  Teamed with Conficker may be another issue though.  Click HERE to read an article from PC World regarding Waledac and other botnets.

Conficker, which first appeared back in November 2008 and can infect any Windows computer running 2000 or above, including XP, Vista, and Windows 7 Beta.  It uses a hole in the Windows Server application, which Microsoft discovered and patched in October 2008 with it’s MS08-067 Security Bulletin.  Sadly, many computers, for whatever reason, never were patched which would have stopped Conficker in it’s tracks. Microsoft patched the hole and updated it’s Malicious Software Removal Tool to remove Conficker from infected systems. Yet somehow, the worm still survived and spread.  Once infected with this worm, it may shut down and prevent any further Windows Updates, as well as not allowing any malicious software removal tools to run on the infected system.

What is even more threatening, is that Conficker is currently trying to spread to more systems thus creating an even larger botnet.  By connecting to sites like MySpace.com, CNN.com, MSN.com, eBay.com and AOL.com, it is searching for more computers connected to the internet that may not have received Microsoft’s critical update in October.  Also by using Conficker’s P2P (Peer To Peer) technology, it will be able to contact other infected host computers, which may not have received the new “instructions” on April 1st, and can then update them with the current variant.  This test is supposed to end on May 3rd at which time it may sit and wait for new instructions on what it should do next. At that time it will delete any trace that it had ever been there in the first place.  No files, no registries, no nothing, however it will remain on the infected computer and will just sit quietly awaiting new commands from it’s master.

The ironic thing about this worm, is that once it infects a new system, it will patch the hole in Windows by itself, in order to keep other malware from using the same opening that it used to infect the system.  Microsoft, who has done a good job at attempting to corral this worm, has offered a $250,000 bounty on anyone who can discover who is responsible for Conficker.  Many believe that the creators are located somewhere in the Ukraine.

Are you afraid that you may be infected?  Symantec, Trend Micro, F-Secure and other security firms all offer free removal tools from their websites.  However, if you are infected, the worm will most likely block any attempts at reaching these sites in order to prevent it’s removal.  If you are being blocked from reaching any of these sites as well as Microsoft’s website, then there is a genuine risk that you may be infected with Conficker.  You can visit the Conficker Working Group’s website to learn more about removal.  Their Conficker Eye Chart is a good way of telling whether you are infected. This tactic of shutting down removal options is used in many other malicious software though and is not a surety that you are infected with Conficker.  However, if you are being blocked, then even though it may or may not be Conficker, the chances are great that you do have something on your system.

Conficker does not effect Unix, Linux, or Apple’s Macintosh Operating Systems.