Individual Eleven – The World's Cyberbrain

Microsoft sent a bulletin to us at work, with some additional memos internally about this. In their bulletin, they mentioned a collective (Conficker Working Group) specifically created to combat this virus and a note about the $250,000 reward for the culprits. However, the main detail here is the possibility that 1st April will be the trigger date for the Conficker.D variant, to initiate contact with internet domains. Perhaps after contact, the instructions will be to redirect you to another URL that has the real payload. But I suppose we won’t know until it actually happens. Full blog entry by Microsoft can be read here.

As stated, this behaviour is the same as Conficker.B but introduces a wider scope in terms of which domains it will try to target. This will no doubt indicate that the virus writers want to spread this as widely as possible. If you were like me, then you would have been fully security patched by now across all affected platforms. The main thing here is to:

• Update your systems with MS08-067
• Keep your AV software up to date
• Monitor port 445 traffic if possible

Taking precautions is the main thing, and if you are sensible, you will not encounter this virus at all. Given how this worm is still causing problems, mainly in enterprise environments, all system administrators should be fully up to speed with this. Our company policy of banning USB devices is still in place, and we have resorted to burning files onto CD/DVD R/W. However, in certain cases we have permitted usage of USB drives.  We have separate “sheep-dip” machines, which are completely standalone, with McAfee VirusScan Enterprise 8.5 installed. It seems to do the trick, we scan the USB drives prior to usage, copy the files you need and then scan it again afterwards.

Tech conficker, Conficker.D, ms08-067, w32.downadup

This little gem has been plagueing corporations all over the world, thanks to a Ukranian virus writer. Something to do for those cold winter nights I suppose when you have no gas.

It acts as a botnet of sorts and once infected the machine turns into a HTTP server to spread it further. Another method of transportation is via USB drives with autorun enabled. Signs of infection include hundreds of connections to port 445 (SMB), do a netstat -on at the command prompt. Also access to admin shares are lost and other file shares could be affected.

Removal
First thing is to patch your machine with this security patch from MS: Microsoft Security Bulletin MS08-067 – Critical (KB958644)

Secondly, update your anti-virus software with the latest definitions. For a standalone removal tool, go to Trend Micro and download with the latest definition files:
Sysclean scan and removal
Latest Control Pattern file
Spyware detection and cleanup
Run sysclean.com once all files are extracted, and it will scan the current machine.

Funnily enough, we decided to go to PCWorld and buy the latest Kaspersky 2009 AV software for our standalone PCs. To our surprise it did not detect the virus at all, forums suggest the Kaspersky ruskies are working on a solution for detection and removal. Also our AV for the corporate network, eTrust by Computer Associates also did not initially detect it until a policy update was applied. According to the techs at CA, it was classed as low risk and not critical. Obviously CA were caught napping when the bulletin was released in October. Nod32 by Eset finds it quite happily without creating too much fuss, same goes for McAfee if you have the latest dats.

Information on the virus worm by McAfee

Even though they have marked this as low risk, it can be very disruptive. Losing access to file servers containing critical data for everyday operations isn’t exactly productive. I have also found the hammering of port 445 will slow your network down to a crawl as it will do this on every subnet you are connected to and try to do this for external IP addresses also.

Tech conficker, Kaspersky, ms08-067, port 445, Trend Micro, virus, vulnerability, w32.downadup, worm