Conficker

[Dragoon Knight]

I suppose that everyone knows about this thing by now, but on the off chance that one or two of you don't, then it might be worth reading this Wikipedia article to get up to speed.  To cut a long story short, however, it's a particularly nasty trojan that's been around for a few months, but has recently caused quite a stir in the mass media, with Y2K-esque predictions of doom being thrown all over the place.

It only affects Windows PCs, which means Mac and Linux users are safe.  Also, Please note that if you've kept up to date with Windows Updates over the last few months, you're probably not in any danger.

Several variants exist, the latest of which was designed to replace previous ones, then "call home" for instructions today, April 1st.  Since I heard this report last night, and it's been so widely reported, it's quite assuredly not an April Fool's joke.  The threat this thing poses - especially for those without legal copies of Windows XP - is real.  Anything from congested local networks to personal detail theft, this thing can turn your world upside down.  It's even clever enough to disguise itself and stop you from accessing the websites of popular anti-virus providers.

Luckily (and probably as an upshot of all the media attention), nothing has happened yet.  Computers infected with Conficker have "called home", but have received no instructions yet.  Or at least, none that are immediately evident.  Still, prompt action to check for this little bugger is highly recommended.  Following these simple steps should be enough to protect you, or remove the trojan should you already be infected:

1. Test to see if you're infected - try navigating to the Symantec website (link).  If your browser is unable to load it, then try other popular anti-virus sites (e.g. McAfee, AVG, Kaspersky).  Failure to load them is a pretty sure sign that you're infected.

If you are not infected:

Go to Step 3.

If you are infected:

2. Go to the BitDefender site (link) and download their special Removal Tool.  Only get the Single PC version if you're a normal, home PC user.  Run it, follow the instructions and you should be clean.

3. Get the latest Microsoft Updates for your version of Windows - the security hole this trojan exploits was patched back in November 2008.  If you're running a pirated copy, then your options here are limited, but that's the gamble you take when you don't pay for things.

4. Update your Anti-Virus software and run a full scan.  Nearly all of the mainstream anti-viral programs have had their definitions updated to detect and remove Conficker, including AVG Free.

After a restart or two, you should be free from Conficker and/or the danger of it affecting you.  Just beware of sites you see on Google purporting to remove the virus, since a lot of people out there have created spoof sites that will do nothing to remove the trojan, possibly even adding more.

This topic can also be used to discuss the impact Conficker has had on everyone, whether it's been simply hearing the news and despairing at all of the doom-saying, or if you had it yourself, or even if you've never heard of it before.

[gryphon]

Since I heard this report last night, and it's been so widely reported, it's quite assuredly not an April Fool's joke.  The threat this thing poses - especially for those without legal copies of Windows XP - is real.

I am sorry to break it to you, and not many have claimed it on the net so far but it is.

Just look at the information on the Symantec website about it.

Next to that Slashdot reporting:

'... shortly after midnight local time, an ATM in the capital city of Reykjavik began spewing 100-Krona notes. ... A nuclear missile installation near Elmendorf Air force Base outside of Anchorage, Alaska briefly went on a full-scale military alert after technicians manning the bunker suspected that several of their control systems were infected with Conficker.'

And according to WP:

The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta.

Does any one really know anyone, anyone at all. Related, non-related, friends, long lost family or even some one vague claiming he has the worm?

Their is no data at all on the files involved, removal instructions or which venerability in Windows 2000 - 2008 it addresses. (notice a inconsistency in that line of operating systems ;) ).

Only known actions have been from an ATM in a place no one ever visits or even knew existed until today and an Airforce base in Alaska?

Not even my spyware, dialer and mallware infected virtual test computer managed to get the worm after 20.120+ sites with illegal DVDs, music files and p0rn.

I give you some extra credits though if you know the target of the last worm (hint, I love you) that was supposed to execute a DDOS on April 1ste. Bonus points if you can tell me what action they took to keep windowsupdate safe from it.

[Dragoon Knight]

Oh I don't doubt the timing was deliberate, and the entire thing was designed to initiate panic in the masses about things going bang today, only for them to spectacularly... not.

But users still need to be careful - even though nothing has happened, the worm is real.  Should it ever be activated (which it likely will) then it will create one of the largest potential botnets ever.  No, you shouldn't go panicking about your hard drive failing, but you should treat Conficker (or Downadup, or whatever you want to call it) as you would any spyware or malware you find on your PC - you should remove it.

The problem with your question as to knowing anyone who has the worm is that most people who have it don't know.  Like I said, it apparently has the ability to mask its presence on a host computer.  See Microsoft's Page on the worm for more info.

It's important that people don't let the 1st of April be a reason to ignore things like this.  It's just another version of peer pressure - people not taking things seriously out of embarassment of potentially being wrong.  Akin perhaps to not running out of a room when you see smoke billowing through the cracks of the door, simply because no-one else in the room with you is moving. :)

[Andrew]

I'm convinced it was a successful marketing campaign by antivirus companies to get people to buy their products.

I heard of this virus non stop all week.

Now they will be talking about it for the next week and how it turned out to be nothing.

[Dragoon Knight]

Aye, another possibility.  And yet for all intents and purposes, it appears to be genuine.

Besides, don't people know it's bad luck to do an April Fools joke after mid-day?

[gryphon]

The application addresses a Windows security flaw after the flaw was patched by Microsoft. And no Antivirus software has provided information about the files or configuration of the worm. The most essential thing. Unless Symantec and Microsoft are posting the files or registry keys involved it's just a big joke. Issuing a warning for something on your computer that no one can identify.

The problem with your question as to knowing anyone who has the worm is that most people who have it don't know. Like I said, it apparently has the ability to mask its presence on a host computer.

The problem is that no one has a copy of the thing. Knowingly or unknowingly. It should at least be published somewhere like all other threats.

If you jell hard enough on the Net, people will eventually think you are right...

[Dragoon Knight]

Plenty of people have a copy of it.  Over 10 million infected PCs, it is estimated.  As to what the worm itself does, have a look at this URL: link.

Regardless of the timing of the thing, there is no doubt as to whether or not it's a valid threat - it is.  The media hype it has created was not warranted, perhaps, since most legitimate XP users have nothing to worry about... but that's no reason to ignore it.

A quick search of Google News returns this article (among others).  It describes the situation in terms of the danger this virus really presents.  It's not going to end the internet, and it's going to have less and less effect as time goes on.  It's still one of the most sophisticated worms ever and should be treated as a risk.

What I've described above isn't a case of "lock your doors and hide under the bed, the end of the world cometh" - it's just a few checks to make sure you're not one of the ten million.  There's no harm in being cautious.

[gryphon]

personally I am trusting this a lot more ;)

The most sophisticated worm, and yet the designers failed to do anything with it.

My previous reference to the I love you viri was not mend as a joke. We all know it, then I doubt you know the function of it.

If over 10 million computers have it. How come no one has reported an infection by it. And no one has access to the files the worm uses. You have any idea how odd it is Symantec, Sophos and Mcafee neither having either the files themselves nor instructions on the site that result in the actual files on your computer.

[Dragoon Knight]

There have been reported infections, from as high up as certain goverments worldwide.  I think it was France that had to ground a few of their jets for a time, because they needed to shut down a computer system that provided the pilots with flight plans.

I've been watching that War Room site since it started posting earlier today, and it's more of a dig at the huge hype that surrounded the issue.

McAfee do have a copy of the worm - the site I linked to you, describing what it does, is owned by McAfee.  Since other anti-virus companies have also developed remedies, I assume that at least some of them also have copies.

The designers of the worm were likely put off by the media attention Conficker got.  It's unprecedented, since worse worms have been and gone since... but none so widespread.

To summarise: people have reported infections, people do have access to the files the worm uses, and I recall the ILOVEYOU virus quite well, but that was back in the day when attacks were focused on doing damage, rather than harvesting personal details.

In the end, time will tell.  I expect to hear some news about attacks / loss of data within the next week or two, before the majority of the approximately 10 million have a chance to react.  But then again, if a lot of them are of the opinion that this thing doesn't exist (either because it's the 1st of April or that they believe it's a marketing ploy), then maybe the designers can wait longer before sending it instructions.

To be honest, gryphon, I hope you're right, and this is nothing more than malicious - yet inert - code, that will never be used.  But all I'm saying is that it can't hurt to be safe - free tools / checks are available to remove the worm and defend against it.  Better safe than sorry.

[Andrew]

Conficker Eye Chart

Quick test to see if you are infected (to see if antivirus keywords are blocked).

[D2k Sardaukar]

I don't get it... is this serious stuff or not?

anyway, those strange tests show I'm normal....

[Andrew]

It's serious if you are infected. No different that any of virus/malware (most notably 'antivirus 2009' which is the only one I've seen in several years).

The fact that you are able to login to a forum and make posts, show your computer intelligence is high enough that your probably never going to see it. Only those that click/install everything on the internet will be affected. People who believe that they should install 'antivirus 2009' when they see an ad or popup to prevent viruses, are the ones who get screwed.

[D2k Sardaukar]

The fact that you are able to login to a forum and make posts, show your computer intelligence is high enough that your probably never going to see it.

Thanks.  :-[

;D

[gunner154]

Looks like it's baaaaaack!