Since the April 1st Conficker target date came and went, people have been waiting for the other shoe to drop. And on Wednesday night, Conficker downloaded the update that people were expecting, via the P2P functionality that's part of the malware.
Dubbed Conficker.e, the new version appears to focus on that all-too-familiar item that malware writers want: money.
The new version will terminate on May 3rd, and what Conficker.e did was download other malware to the already infected host computers. Kaspersky Labs notes that it downloads, for example, a rogue antivirus app, Spyware Protect 2009 (above, click to enlarge). These type of apps frequently annoy the end user with pop-ups and more until they fork over some cash, in this case $49.95.
Trend Micro noticed that the worm also downloaded components of Waledac, which is a bot used by spammers.
Trend Micro also noted that Conficker.e once again has the ability to search for machines that are still vulnerable to the security hole that Microsoft patched in October, which led to Conficker infections in the first place. A previous update turned that capability off.
Now we have to wonder: what will happen on May 3rd?
April 1st has come and gone, but researchers are convinced we haven't seen the last of the Conficker worm. While there are ways to determine if you are infected, the Conficker Working Group has posted a simple and visual aid to help as well.
The Conficker Working Group is a group of organizations that have joined forces to fight the Conficker worm.
According to the site, the work on the "test" was Joe Stewart from SecureWorks.
All you have to do is go to the page and view the images there, and compare them to the table of results. It will indicate if you have Conficker A, B, C or none of the above.
The test uses the fact that Conficker blocks certain security Web sites. The logos are derived from the sites themselves, so if they can't load, then the sites are also likely to be blocked.
Of course, it's possible that the tested computer's browser has image loading turned off. Firefox users can check under Tools/Options and the Content tab (make sure Load Images Automatically is checked).
For Internet Explorer, look under Tools/Internet Options, then the Advanced tab. Scroll down to Multimedia and Show Pictures should be checked.
For Chrome, that option isn't available, so if you're not seeing images, you could be in trouble.
If you have Conficker, check my prior post that lists sites where you can find removal tools, though if you can't access security sites, you'll have to use someone else's PC to get them.
Hackers have already jumped on the earlier good news about Conficker detectors for networked PCs, and have poisoned search engine results to point to malware rather than the detection tools themselves.
Trend Micro has a post about the issue, pointing to several search engine results for Nmap, one of the tools I highlighted earlier (and free, open source) which are poisoned.
The key: go directly to the domain of the sites, such as Qualys, Nmap, or any other tool you are looking for.
At the same time, F-Secure has a post on poisoned removal tools.
It makes sense that hackers would take these steps; stories like the 60 Minutes report on Sunday have some in a frenzy. If you are looking for a removal tool, go directly to a reputable vendor's site. Many of them have released free tools for consumers to use, even if you haven’t purchased their own software.
Trend Micro (look for the Sysclean package at the bottom of their page)
There is also the Conficker Working Group’s list of tools, but that site seems inundated right now.
To be honest, many of these sites are quite busy right now, and if your PC is compromised, you may not be able to reach a site, because Conficker blocks access to a number of security-related websites.
You may have to use the IP address of the website, or use a different PC to download a tool.
Oh, and of course, patch the hole that Microsoft patched last October!
All you have to do is use Windows Update, or use the individually downloaded patches from the bulletin page that Microsoft has created.
Both the Department of Homeland Security (DHS) and the non-profit Honeynet Project have developed methods for determining which PCs on a network are infected by Conficker, which makes the work of scanning a system of networked PCs a lot quicker and easier.
The DHS announced that the department's United States Computer Emergency Readiness Team (US-CERT) created the tool, which has been available to federal and state partners via the Government Forum of Incident Response and Security Teams (GFIRST) Portal, and to private sector partners through the IT and Communications sector Information Sharing and Analysis Centers (ISACs). It plans to expand distribution to more partners in the coming days.
Except, DHS, that you only have until April 1st before Conficker tries to "phone home" for more instructions.
Meanwhile, while DHS didn't go into details on how they detect Conficker, Dan Kaminsky, who worked with the Honeynet Project in their research, said the following about its detection methodology (or rather, the flaw in Conficker that allows them to find it):
What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you.
As most malware does, once it infects a PC, the Conficker worm closes the security hole in Windows that it used to get onto the system so no other malware can get in. While this makes it difficult to detect which computers have the official Microsoft patch and which have the fake Conficker patch, Conficker's patch exhibits differences, and that's what the researchers exploit.
Some security software has already incorporated the Honeynet Project's research, including the free and open source Nmap, Qualys, and Tenable.
One question though: if a new version is downloaded to already infected systems that aren't scanned and detected by these measures, will it fix the flaw in the code, thus enabiling Conficker to "hide" more effectively? Ouch.
60 Minutes is a great show, for the most part (and let's not forget it has Andy Rooney!), but a report Sunday night on the Conficker worm titled "The Internet is Infected" is probably the definition of hyperbole.
The report, a full transcript of which is here, and a video below, was designed to alarm, and I'm sure it did. The title alone is alarming, but what it doesn't address, and what the report fails to mention is the following:
Conficker only affects Windows PCs
It exploits a vulnerability in Windows that Microsoft patched in October (in an emergency patch, no less). If you have patched your PC, you are safe.
If you are running a current, up-to-date antivirus (AV) software, you will be safe, for the most part.
If you aren't running running an antivirus application, or are running one that's expired, there are standalone programs by reputable vendors such as McAfee that will remove Conficker.
Conficker.B was detected in February and added the ability to spread through network shares and via removable storage devices, like USB flash drives.
Conficker.C, which surfaced earlier this month, is set to receive instructions, download an updated copy of itself, or other malware on April 1st; security vendors aren't sure just what.
I have to admit, there was useful information for those (like my mother-in-law) who simply don't understand the threats that are out there and the need for effective antivirus software (at least for Windows PCs, more on that later).
In fact, Lesley Stahl spoke to Steve Trilling, a Symantec vice president. He said (and it's true) that too few people have up-to-date security software:
"As soon as you clicked on that link and you had security software, you would immediately get an alert. 'This is a bad Web site.' And it would have blocked the attack. You would have never been hit. Putting on that software, you’re preventing yourself from becoming a victim."
On the other hand, the report later told the story of Mary Rappaport, who apparently had AV software and a firewall, and yet had her system compromised to the point that they were able to get into her bank account, even after she changed the password.
A key logger perhaps? If so, how was she infected with up-to-date AV software?
Well, that's the problem with AV software and why I earlier said "for the most part" in terms of AV protection: it relies on virus signatures and if something new comes on the scene, it may not be able to detect it. That's why an AV program with strong heuristics to detect previously unseen malware. The downside: a potential for false positives.
Some people (like me) run multiple layers of protection, including anti-trojan software in addition to antivirus software.
As I previously said, this is a Windows only problem, and many Mac users tend to crow about it. The reason the Mac is, heretofore, invulnerable is that there are simply many more Windows users than Mac users. When trying to target a group of people, you go after the biggest group.
But with the recent upsurge in Mac adoption, that may be changing. Mac users need to be a little less cocky than they currently are. While Macs aren't currently a large target of hackers, they are not inherently safe: witness the fact that a researcher hacked into a Mac in 10 seconds during a contest at a recent convention.