Thread: How to avoid prowling Conficker virus

How to avoid prowling Conficker virus

Computer users beware, Security experts have warned that the deadly Internet worm Conficker C is all set to strike back on April 1. According to Graham Cluley of security firm Sophos, Conficker C is programmed "to hunt for new instructions on April 1".

In January, the virus had infected more than nine million computers worldwide and was spreading at a rate of one million machines daily.

Here’s all about this virus: what it does, how it spreads, symptoms that you have been hit and also how to escape it.

One of the biggest virus
The malicious software had yet to do any noticeable damage, prompting debate as to whether it is impotent, waiting to detonate, or a test run by cybercriminals intent on profiting from the weakness in the future.

How it spreads
According to security experts, Conficker's most intriguing aspect is its multipronged attack strategy: It can spread three different ways. One is a vulnerability in Windows that Microsoft patched almost six months ago. The bug, which is in a file-sharing service that's included in all versions of the operating system, can be exploited remotely just by sending a malformed data packet to an unpatched PC.

Two, the worm can spread by password attacks, and third by copying itself to any removable USB-based devices such as flash drives and cameras. Anti-virus experts have warned that the worm can be easily spread between unprotected computers through the use of removable drives, such as USB sticks.

How to know that my PC has been hit?
Microsoft's advisory about Conficker lists several symptoms of infection, including these:

• Account lockout policies are being tripped.
  
• Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  
• Domain controllers respond slowly to client requests.
  
• The network is congested.
  
• Various security-related Web sites cannot be accessed.

In case your PC is showing any of these symptoms Microsoft recommends that you immediately use the MSRT to clean the machine. Users can download MSRT from Microsoft's site, or follow the instructions posted at its support site.

How damaging it is?
Once in a computer it digs deep, setting up defenses that make it hard to extract. The worm leaves the computer vulnerable to further exploitation by hackers and spammers, who are able to remotely download more malicious programs onto the computer, or even use the worm to help install software that will enable them to track and steal security information, such as banking logins or credit card information.

Malware could also be triggered to turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.

Cracks passwords
A troubling aspect of Conficker is that it harnesses computing power of a botnet to crack passwords. Repeated "guesses" at passwords by a botnet have caused some computer users to be locked out of files or machines that automatically disable access after certain numbers of failed tries.

Conficker uses brute force from the infected network of botnets to break the password of the machine being attacked.

Most vulnerable machines
According to Microsoft, unpatched Windows 2000, Windows XP and Windows Server 2003 machines are at the greatest risk. There are also reports from security companies, which highlight the danger to PCs running Windows XP Service Pack 2 and XP Service Pack3. Incidentally, these versions account for the bulk of Windows' market share.

Unpatched Windows Vista and Server 2008 systems are less likely to fall victim to these attack, since hackers need to authenticate access to the computer, in other words know the log-in username and password.

How to escape the worm
Microsoft advises people to stay current on anti-virus tools and Windows updates, and to protect computers and files with strong passwords. Microsoft issued a new series of security patches to try and help computer users defend their machines against the worm.

Security experts urge people to harden passwords by mixing in numbers, punctuation marks, and upper-case letters. Doing so makes it millions of times harder for passwords to be deduced.

Source: Indiatimes Infotech

Good one

Good one rameshjeee.
Adding to this, Conficker uses very specific vulnerability for propogating in network which is addressed by Micorosoft Patch 08-067. If your machine is not patched for this vulnerability, your system is likely to be infected.

http://www.microsoft.com/technet/sec.../MS08-067.mspx

Some more behaviours of this worm are
a. abnormal outgoing traffic to random IPs and ports
b. corrupted Autorun in drives
c. unwanted program in "Control Panel\Schedule Tasks"
d. blocks access to lot of security and antivirus sites
and lot of other behaviours.

Are You Infected? A Smart and Simple Test

A common tactic used by malware is to block the infected computer from connecting to the Web sites of antivirus and security companies. Such blocks are meant to prevent you and your antivirus program from getting help in removing the infection.

The Conficker worm and many other types of malware take this step, and one good thing that came out of all the hype and drama surrounding last week's April 1 doomsday for Conficker was this little gem from the Conficker Working Group, an industry coalition formed to fight the worm.

The group's "Conficker Eye Chart" pulls images from three sites that Conficker is known to block and displays them in a box. Below the box is a guide to interpreting how you see the images -- if they all show up you're in good shape, but if one or more doesn't display it could indicate a Conficker (or other malware) infection.

It's a smart and near-instantaneous test that couldn't be any easier, but keep in mind that if your computer uses a proxy server for Web traffic, which can be the case in some companies, you might be infected and still be able to see the images.

Click Here: "Conficker Eye Chart"

Also u should use open dns, its preventing the worm's spread.

And also disable the autorun feature on wonblows! i've already done that an year back, you all should do that too. It should prevent the most common way of malware spreading.

How to Disable Autorun