Conficker worm growing…

Panda Security/work related post. This is a personal blog but from time to time I’m posting things that may relate to my employer. More info, read “About this blog”.

Photo: Pink Sherbet Photography on Flickr. CC Attribution.

Conficker, the network worm exploiting the MS08-067 vulnerability that I’ve mentioned previously, has continued to evolve and several new variants (.B/.C most prominent) has been discovered.

The impact this worm is making is becoming bigger, but here in Panda Sweden we haven’t drowned in work yet. The stories I’ve heard so far is the usual ones with users and consultants bringing infected units (or USB-sticks) into the network and then infecting unpatched machines that had previously been hiding behind the corporate firewall. So far it doesn’t seem too bad here though and I’m holding my thumbs that people learned to patch their machines back in 2004

That’s also all that it comes down to. Patching your machines. If you’re here looking for and easy solution to the mass infection in your network you’re probably too late. You should have thought about patching before you got infected. Not after. However, what you need to do now in order to resolve your situation is to:

- Patch your workstations and servers. Read MS Security Bulletin MS08-067. Patching can be done in a million ways. If you’re currently lacking a patching solution, look into Microsoft WSUS for a free (as in free beer, not freedom) solution. To identify unpatched or in other ways insecure systems, you can use the Microsoft Baseline Security Analyzer. This tool will also identify weak passwords, something that Conficker uses to spread in local networks.

- Disinfect the infected machines. Again, this can be done in several ways depending on your current situation and I would recommend contacting your anti-malware/anti-virus vendor for exact instructions. Some of us have specialized tools available for rapid deployment through scripts etc. so you don’t have change into your jogging shoes A good start before you call is to make sure the machines actually have protection installed and updated though. If not, install it and make sure it’s updated. If you’re a single user you can clean your machine using online scanners such as ActiveScan 2.0. If using Panda Security solution you can find your local office here.

- Learn from your mistakes. Get a patch routine going and a monitoring system running. Make sure your anti-malware solution is up & working, and then implement a process to ensure that it’ll do so in the future as well.

Also keep in mind that Conficker, except the normal worm behaviour and what I’ve mentioned in previous posts, infects USB-sticks and other portable storage as well. It does this by placing malicious files on the media and auto-running them using the autorun and autoplay features when they’re connected to a computer.

More information: Panda Security 2, Panda Research, PC1News, Sophos, CA, Harry Waldron, F-Secure 2 3, MS Malware Protection Center, RegistryCleanerz.