Every few months, some new threat sparks up in the news and every other journalist that doesn’t really know what the threat is about wants to write an article about it to raise awareness. I remember one instance when I was younger, on 31st March of some year in the last millennium, my sister had told me not to turn on the computer on 1st April because we’d get a virus. My reaction was “Huh? Can’t we get a virus every day?” to which the reply was “Maybe, but I’ve heard that whoever uses the computer on 1st April will get a virus.”

All these years have passed and I couldn’t believe I was experiencing the same thing againI’m obviously talking about the Conficker worm. I’m not saying that awareness is a bad thing or that malware threats should not be reported. However, I think that it’s about time that the general public is educated in another manner.

Conficker infected millions of machines by exploiting a vulnerability in the NetBIOS implementation in Windows. What most people never got to know was that this vulnerability was fixed by Microsoft when Security Bulletin MS08-067 was released on 23rd October 2008. The first variant of Conficker was discovered on November 20th – almost a whole month after this vulnerability was fixed. What this means is that if  all users kept their systems up to date, then this worm would never have started to propagate, thus relieving the worldwide panic that resulted afterwards.

It’s time that everyone starts to think about protecting their systems all year round and not just reacting to overhyped news.  You wouldn’t leave the doors and windows of your house open and then panic if some intruder enters the building! People have had front doors for thousands of years;  so, why should the security of a computer be treated differently? It’s about time that even grandma understands that a computer connected to the Internet is like a house connected to the ground – if you leave it open, intruders from outside can come in.

So what can the average person do?

First thing, keep your software up to date, especially the Operating System. If all systems are kept up to date, most malware outbreaks would never occur. Secondly, some form of anti-virus technology should be present. In a home environment, normally the only thing that can be used is a client-based AV; in companies, emails can be scanned at the gateway, and so can web downloads. Thirdly, every computer user should be educated, and by this I don’t just mean a one-time boring speech that is delivered and forgotten, but continuous reminders on what is safe and what isn’t. Don’t we get adverts warning us not to drink and drive? So why shouldn’t companies put up notices warning their users not to download animated emails to watch singing kittens?

What? How can a supposedly secure environment like a military installation or a hospital catch a worm? Panic everywhere.

Why is everyone so scared of Conficker? The worm basically does nothing! It only tries to dig in and wait. According to a build in the timer something should have happened on April 1st 2009. April 1st came and went, and nothing happened. Everyone was expecting a doomsday scenario, where the worm was expected to do something horrific, but nothing happened apart from an update to a newer version, and more waiting for commands. So far there have been 5 versions of the worm observed, labelled as A, B, C, D and E. They seem to be modifications of the original, as the author tries to get things right and build a bigger bot army.

Only the latest version E was observed as actually doing something: send spam, and install scareware. Technically, it’s not Conficker itself that does this, it’s the payload that it downloads and executes on demand.

So why is it so dangerous?

The payload is the keyword. The infected machine is at the disposal of the attacker to do anything he wants. An unknown payload executed on demand could be anything from DOS attacks to extortion, spamming to spying. It also updates itself, to enhance its own capabilities, and plugs entry points to avoid infection from competing worms. Very flexible isn’t it? All this is secured by hash signatures and encryption.

How does the thing actually spread?

It spreads in two ways:

• Network
• Removable Storage

The worm tries to attack a known vulnerability in the DCE-RPC service running on port 445, also used for various services needed by Windows file sharing. A patch for this hole was released in October 2008 – MS08-067; regardless, the worm still succeeded in spreading. Another way of spreading is old fashioned copying. It places a copy of itself on removable storage, and uses the autorun feature for infection. Also worth mentioning is a dictionary attack on administrative network shares, but this might not have been a very successful infection vector, because it seems to be missing in the latest versions of the worm.

How to spot the infection?

Conficker uses a number of self defense mechanisms, which are a giveaway. It disables a number of services -  Automatic Update, Security Center, Defender and Error Reporting. It also creates its own service to stay resident. The name is constructed from two random words from titles of other services. Another type of self-defense employed is the redirection of domain names related to AV products and the Windows Update.

An infection can also be spotted using a professional product. Most AV vendors offer a stand alone tool to detect a Conficker infection. GFI LANguard 9 is also capable of detecting infected machines remotely as well as detecting missing patches regardless of infection. Once an infection is detected a removal tool should be employed and the systems should be patched to avoid repeated infection.

Back to the question, how can this worm spread into supposedly secure institutions? Well, the problem mostly lies in people – People who are naïve or who do not follow the security guidelines set by the organization.

• Developers: Environment choices, running a whole Windows system on an embedded black box such as an MRI or a heart monitor might not be the best choice.
• Administrators: Not updating systems as required by choice; in some cases not being able to do it because of the black box nature of a system where only the vendor is allowed to update, thus leading to substantial delays in updating that might leave the system vulnerable.
• End users: Not following rules, and trying everything to work around restrictions.

So, what can we expect to see of Conficker in the future? According to some research, there are now only around 200,000 infected machines. However, this might be just the tip of the iceberg, because this includes only the latest version of the worm - version E.

Version E is set to expire on 3rd May 2009, but not the previous versions. Are all versions destined to eventually upgrade to E and retire? Did it serve its purpose? Is it going to be replaced by something else?

More questions than answers. The future will tell. The moral of the story so far – keep your systems updated.