Conficker Worm- What You Should Know, Prevention & Fixes

It looks like the Conficker worm is rearing its ugly head today, downloading a mysterious payload that is heavily encrypted to infected Windows machines. As the information on this is just starting to hit, there is still a lot of speculation as to what the payload contains and what it does. This post provides a brief rundown of links, tools and information on Conficker and what you can do to prevent it.

NOTE: If appropriate, this page will be updated as more information emerges. Updated: 4/9/09 @ 12.30 PM Pacific

About Conficker

Conficker is a worm that has already affected millions of Windows computers world-wide and is considered to be one of the most severe security problems in recent years. It is a botnet that can be used to spam and attack other websites. Conficker is designed to visit websites and get information or instructions or even a file via peer-to-peer networks. While Microsoft did release a patch back in October 2008 [Microsoft Security Bulletin MS08-067] to block the vulnerability, thousands or more computers remain unpatched and vulnerable. The current version of Conficker attempts to contact MySpace.com, MSN.com, Ebay.com, CNN.com and AOL.com in order to determine if the machine has an internet connection. The worm is also associated with another botnet called “Waledec” and may utilize it to spread itself via spam.

New & Information

• Official Microsoft Page on Conficker – http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
• BBC News – “Conficker begins stealthy update” – http://news.bbc.co.uk/1/hi/technology/7991422.stm
• ZDNet – “Conficker Botnet Stirs, with a Scareware Business Model” – http://blogs.zdnet.com/security/?p=3110
• CNN/C|Net – “Conficker wakes up, updates via P2P, drops payload” -  http://www.cnn.com/2009/TECH/04/09/conficker.activated/index.html?iref=nextin
• TrendMicro – “The DOWNAD/Conficker Worm” – http://us.trendmicro.com/us/threats/conficker-worm/
• ReadWriteWeb – “It’s Alive! Conficker Wakes Up – And Now It Has a Business Model” – http://www.readwriteweb.com/archives/its_alive_conficker_wakes_up_and_now_it_has_a_business_model.php
• Conficker on Twitter – Via Twitterfall – http://twitterfall.com/?trend=conficker!%23494234

Testing to See if You are Infected

There are a variety of sites that are starting to provide ways to quickly see if your computer is infected as well as how to fix.

• Microsoft OneCare Safety Scanner – Use this site to do an online scan of your computer.
• BDTools.net – Use this tool to find out if you are infected and there are tools for removal
• Conficker Eye Chart (reloaded) – This site provides an innovative way to test. Since the Conficker virus blocks many known Virus Prevention companies’ URLs, this site pulls in the images from those sites. If you can’t see the images, you may be infected. Read the site for details.
• Heise Security – Conficker Test – This site is similar to the “Eye Chart” test listed above.
• ReadWriteWeb Resources on Conficker – A good listing of resource to help you prepare for Conficker (too late now?)
• Panda Security Active Scan – Scan your computer via the web

The best fix for these is actually an ounce of prevention before they happen. It can save you time and money in the long run. Currently Macintosh users are not affected by this worm (unless they are running virtualized Windows environments using VMWare or Parallels). I personally use Kaspersky’s Internet Security 2009 which is great because they push out updates almost hourly. (Note: you can get a 3 User License on Amazon right now for only $35!)

HTD Says: Be sure you are protected. Get good, strong Anti-Virus & Firewall Software and keep it updated.