Conflicker information and links - distribute widely!

31 March 2009

As you have probably heard on the news a new beastie has been making its rounds on the Net, infiltrating Windows machines and awaiting the coming of the first of April - April Fool's Day. Unfortunately, like Y2k and the Michaelangelo virus, there is an incredible amount of misinformation out there making this worm out to be The End of the Net As We Know It - to hear some of the chatterbots talking heads, the milk in your fridge could curdle and your cat will marry your dog if your workstation gets infected. To be fair, nobody's sure of what Conflicker will do once all of the infected machines start pulling orders from web servers controlled by whomever developed this software. To the best of my knowledge, AV researchers have not gotten their hands on copies of the payload that will be deployed. What is known is that it can spread on its own by exploiting an older bug in Windows, by throwing dictionary attacks against user accounts (you DO have a good password, right?), by copying itself to shared drives on the network, and by riding in on removable media (like USB keys).

First and foremost, spend a few minutes learning about Conflicker.C (or .D - thanks heaps, Microsoft), Net-Worm.Win32.Kido, Win32.Worm.Downadup.Gen, or whatever your favorite AV company is calling it these days. The tireless team over at the Internet Storm Center has assembled a collection of links to good information about this worm which you should spend at least a few minutes reading. The first couple of links on their page go to pages which contain procedures for removing the malware from an infected box manually, should it come down to that. Thankfully, there are also links to nearly a dozen utilities that will locate and eradicate the malware automatically; these utilities are free and were developed by reputable companies (like Microsoft, Sophos, McAfee, and Symantec). If you're concerned that you might run into some infected machines, you might want to download one or two of them and burn them to a CD to carry around with you just in case.

I strongly suggest that you open another tab or window in your browser and go directly to Windows Update to install the latest available updates for your machine. Conflicker exploits a vulnerability in Windows 2000, XP, and Server 2003 called MS08-067 to propagate, a vulnerability which was confirmed by Microsoft in October of 2008 I hasten to add. This is not a 1337 0-day exploit, you should already have patched this bug.

Next, for the love of Alan Turing install and run antivirus software on your machine. I run Avast! Home Edition on my Windows instances. It's free to download and install but you have to register with your e-mail address to get the one year free home use license key. In the three or so years that I've been using it, not once have I ever recieved spam from Avast! at the e-mail address I registered with. The turnaround time to get the reg key is fast, on the order of a couple of minutes (if that).

Here's hoping that tomorrow won't be fun in a colonoscopy sort of way.