Monday, January 26, 2009

Downadup/Conflicker worm

Since late last year, a new malicious software program has been making the rounds of cyberspace and infecting millions of Windows computers worldwide. Known as Downadup (also called Downad, Kido, Conficker or Conflicker), this Windows worm spreads in three different ways: by exploiting a Windows vulnerability (which has since been patched); by guessing weak network passwords; and by the use of autorun on network drives and removeable gadgets such as USB keys.

The infection seems to be the first step of a potential multistage attack, although as of now, Downadup's main trick is to block users from accessing antivirus sites to obtain updates or from accessing Microsoft's site to download the necessary Windows patch. However, once a machine is infected, the worm is capable of downloading second-stage code for potentially darker purposes. It might operate in the background, using the infected computer to send spam or infect other computers, or it might steal the PC user’s personal information. "Right now it's not destroying or stealing -- it's just hanging out," comments Tom Cross, X-Force researcher in the IBM ISS division. "It's building its network of hosts."

What to do? Since this worm can spread three different ways, here's the short list what you should do:

  • Make sure your Windows security updates are, well, up-to-date.
    If Windows Update is set to automatically download and install security updates and patches, you should be good to go, but it wouldn't hurt to double check. Verify that the patch has been installed by bringing up Windows Update, then clicking "Review your update history" and looking for a security update labeled as "KB958644." If it's not there, then manually run the security updates. If you're just installing the patch now,
    take Microsoft's advice and run the January edition of its free Malicious Software Removal Tool (MSRT), which was updated last week so that it can detect, and then delete, Downadup infections.

  • Make sure your passwords, especially any network passwords, are strong. The worm relies on people using weak passwords -- dictionary words such as "password", "changeme", "testtest" or sequences of letters or repeated numbers (123123). Strong passwords are lengthy with a combination of letters, numbers and symbols. As Microsoft's article on strong passwords states: "A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard."

  • Disable Autorun and Autoplay to protect the spread from flash drives. A USB storage device (typically a flash drive although any USB device can be infected) from an infected computer will have the file "autorun.inf" at its root. When that flash drive is connected to a PC, the file takes advantage of Windows' Autorun and Autoplay features to copy the worm to any machine that it's plugged into.

Network World has the details on how to deal with this potential problem along with a general article on the worm itself.

No comments: