Conficker Virus What is it, and How to Stop It

Conficker primarily spreads through a Windows Vulnerability (MS08-067), which if unpatched allows the worm to attack the Windows file sharing service. Conficker is a type of computer virus called a computer worm. Computer worms take advantage of unpatched computer systems to automatically spread themselves.

Once a computer is infected, the infected system begins to scan the Internet, or it's local network for unpatched computers to infect. Conficker literally crawls the Internet at network speeds. Most businesses have some form of firewall to protect direct Internet access to their computers, but if a machine behind your firewall is infected, the infected machine has full access to attack other internal computers and network servers. Laptop computers, that have been infected at the user's home, are another way Conficker could infect your firewall protected network.

Conficker also infects computers through USB flash and external hard drives that have been used in an infected computer, and through network files shares in a business network.

Although Microsoft released patches quickly, up to 9.5 Million systems did not patch in time and have been infected by Conficker as of Feb 1st 2009.

Until now Conficker has been happy to just rack up the number of infected machines, but the infected machines can be centrally controlled as a Botnet. A Botnet is a group of computers under central control of the writer of the virus that has infected the machines. The person in control, called a botherder, can issue commands to the infected machines to do their bidding.

Security Professionals have documented the way Conficker communicates with new websites daily. Anti-virus firm F-Secure says that "the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files." Finding the one site that is storing attack code is almost impossible.

Infected machines in the Conficker Botnet could be used to do a number of nasty things from sending spam, to attacking computer networks, spying on infected users, or even destroying data. Since the infected machines are calling home looking for instructions we do not know how they will be used until marching orders are given.

Here is a list of things you can do to verify you do not have this bug, and help protect yourself in the future:

1. Install Microsoft Critical Updates upon their release.
If Microsoft has released a fix, virus writers will reverse engineer the fix to understand the problem Microsoft is fixing. The virus writer can then write a virus to take advantage of the problem and attack those people that do not update their systems quickly.

To protect against Conficker, specifically install Microsoft's patch (MS08-067) which is documented in MIcrosoft Knowledge Base article KB958644.

2. Make sure each computer's Anti-Virus is up to date.
If you notice your computer has not updated your virus definitions, and you can not get them to update, have someone look at that PC immediately. One of the things viruses, including Conficker, do is to block access to the download sites of the anti-virus and anti-spyware software so infected machines cannot get updates.

3. Scan your Computers with Both Anti-Virus and Anti-Spyware software.