So what happened to Conficker?

Lesley Stahl notwithstanding (don’t get me started – I saw the coverage on CNN, too, and was ready to throw my shoe through the TV), Conficker Day came and went with nary a peep.

That’s reason to forget about Conficker, right?

Well,  no. Actually, more than anything, it shows that the person (or people) behind Conficker is (are) very smart. They’ve changed their infection mechanism, making it much harder to crack, and they managed to slip in the update without triggering any alarms.

You need to be very aware of Conficker. Some day, somebody is going to offer the person (people) who controls Conficker a great deal of money, and there’s no telling what they will do.

So test your machine. Follow Brian Livingston’s advice and scrub your system. In the same way that I advised you to not worry about April 1, I’m also telling you that Conficker is a formidable problem that hasn’t gone away.

It’s just sleeping. On about one million Windows XP PCs.

Solid Conficker advice

I just finished watching Leslie Stahl’s report on 60 Minutes about viruses and worms in general, and Conficker in particular. It’s easy to criticize the report, but that isn’t why I’m writing.

A few hours ago, Brian Livingston published a thorough and detailed analysis of Conficker. He admonishes everyone to run a Conficker removal tool before April 1.

I think it’s good advice. Check out Brian’s top story in this special edition of Windows Secrets Newsletter.

Conficker’s All Fools Day

The sky is falling! The sky is falling!

I know it’s true because I read it in … let’s see … where was that? Oh, it’s right here in the newspaper. Just above the ad for washing machines. Yeah, see that? Toldja so.

Gimme a break. Yes, Conficker is changing on April 1. No, you don’t need to worry about it.

There’s an excellent, reasoned blog post about Conficker on the F-Secure site. What? An antivirus manufacturer says you don’t need to panic, while the venerable Sun says “MILLIONS of computers around the world could go into meltdown on April 1 because of a deadly virus.” Gawrsh. And they have a very nice ad for washing machines, too.

If you’re still running Windows XP, it would behoove you to hop over to the F-Secure Q&A. Down at the bottom, there’s a link to the F-Secure scanner, which will detect and remove all known versions of Conficker.

And you won’t get hit up about dirty laundry…

Conficker update

The SANS Internet Storm Center just posted an article that points to several updated references about the Conficker worm.

Check out the link to SRI International’s updated Conficker information, and to the two New York Times articles.

If you ever needed a reason to upgrade from Windows XP to Vista or Windows 7, it’s spelled c-o-n-f-i-c-k-e-r.

More about disabling AutoRun in Windows XP

Microsoft blew it big time.

The latest issue of Windows Secrets Newsletter just hit my inbox, and Susan Bradley’s thorough analysis of the situation makes me angry.

I thought Microsoft was serious about blocking the Conficker worm. But when it comes to Conficker’s most simple propogation vector – infected USB disks – Microsoft has completely blown it. Repeatedly. Utterly.

I still recommend that you remember to hold down the Shift key when you stick any disk in any Windows XP computer. But if you feel the need to patch your XP machine, follow Susan’s advice.

Microsoft finally makes it possible to disable Autorun

The latest Windows Secrets Newsletter just hit the stands, and Susan Bradley’s lead article, AutoRun patch a long time coming for XP users, finally nails the topic of turning off AutoRun.

Managing AutoRun has become a #1 hot topic precisely because the Conficker worm can use AutoRun to propagate via USB drives.

So Microsoft posts a $250,000 bounty for information leading to the arrest of the cretins who created Conficker. Two weeks later – after waiting 18 months – MS patches one of Conficker’s simplest infection vectors.

Something does not compute.

Microsoft has a patch out now that lets everybody running Windows XP or later truly disable AutoRun. It’s KB article 953252 for Vista and KB article 967715 for WinXP, 2000, and Server 2003. I’ve heard that there are some minor problems with the patch being offered multiple times on the same machine, but there don’t appear to be any significant hassles.

I like Susan’s advice:

For home users, I’m not yet ready to pull the fire alarm and tell everyone to disable AutoRun. But I do urge you to be very leery of plugging USB flash drives into your system if you’re unsure whether they’ve been used on other computers. Large organizations, however, should consider disabling AutoRun on their networked PCs, considering how hard it’s been to stomp out the Conficker worm and others.

Follow Susan’s detailed explanation if you really want to make it impossible for renegade USB drives (or CDs or SD cards or…) to infect your computer as soon as they’re inserted.

Good article. Check it out.

An Analysis of Conficker from SRI

If you’ve been following the amazing feats of the Conficker worm, you should check out this new white paper from SRI International.

In this paper, we crack open the Conficker A and B binaries, and analyze many aspects of their internal logic. Some important aspects of this logic include its mechanisms for computing a daily list of new domains, a function that in both Conficker variants, laid dormant during their early propagation stages until November 26 and January 1, respectively. Conficker drones use these daily computed domain names to seek out Internet rendezvous points that may be established by the malware authors whenever they wish to census their drones or upload new binary payloads to them.  This binary update service essentially replaces the classic command and control functions that allow botnets to operate as a collective. It also provides us with a unique means to measure the prevalence and impact of Conficker A and B.