There is a lot of media attention being paid to the Conficker C worm due to update itself tomorrow. Researchers have not been able to identify what exactly that update will do. It may simply upgrade the worm to make it harder to detect or instruct it to carry out certain actions. This lack of understanding is leading to a certain level of confusion and indeed some security companies hyping up the issue to no doubt help their bottom line.
F-Secure have a very good Questions and Answers post on their Blog that cuts through some of the hype. Remember April 1st only impacts on machines already infected with the Conficker C variant. If your machine is not infected nothing will happen to it.
To prevent infection by Conficker C you can follow the steps outlined in our earlier post. Should you feel that you do not have enough time to put those measures in place, researchers from the Univeristy of Bonn have issued a paper on how to contain Conficker C on your network.
To detect if you have any infected machines on your network Nessus has a plugin, 36036, available and Nmap 4.85 Beta can also detect infected computers. The US Department of Homleand Security has also released a detection tool . Should you detect any machines infected with Conficker C, the Internet Storm Center has a list of removal tools.
Conficker C is due to activate its update at midnight GMT tonight. So by this time tomorrow we should now exactly what all the fuss is about.
Subsequent to the critical out of cycle patch, MS08-067, issued by Microsoft in October 2008, the Conficker Worm was discovered which infected systems that had not applied the MS08-067 patch.
Since then the Conficker Worm has infected over an estimated 9 million PCs.
Recent reports also highlight that the Conficker Worm has been upgraded by criminals to Conficker B++ which is more resilient than the previous versions.
Microsoft has released an advisory note on how to protect your PCs from the Conficker Worm. In summary Microsoft recommend you take the following steps;
- Apply the security update associated with MS08-067.
- Make sure you are running up-to-date antivirus software from a trusted vendor.
- Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems.
- Isolate “unpatched” or legacy systems using the methods outlined in the Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide.
- Implement strong passwords as outlined in the Creating a Strong Password Policy whitepaper.
- Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 953252. NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 953252 to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 to be able to successfully disable the AutoRun feature.We advise that you follow the above recommendations to ensure your systems are protected from this threat.
Remember to also update your incident response plan just in case you efforts are too late. See our free whitepaper on “Incident Handling and Management”.