Conficker – No Big Outbreak, But Threat Remains

April 1 has come without major trouble from the worm, but users should remain vigilant, apply the existing defences – and beware fake patches

Midnight on 1 April passed without the major incidents that some commentators feared, but a large number of infected machines remain, which could be brewing trouble in the future, according to reports.

confickersquare.jpg

The Conficker.c version of the worm was programmed to send a request to its controllers for an update today, but no one knows what that update will do – or even if it exists. The botnet has infected around ten million machines, even though there are strong methods available to clean it off infected systems, and prevent it getting a hold on fresh ones.

The major security vendors have all made detection and removal tools available, and recent research has improved detection even further. There is also no shortage of advice on how to mitigate and remove the worm should your organization’s PCs be infected. This paper from McAfee (PDF), for example, discusses how to manually detect and fight the worm.

It should also be remembered that the Microsoft vulnerability Conficker exploits has been legitimately patched, and while the worm also spreads via network shares by logging on to machines with weak passwords, following security best practices in regards to password strength mitigates the threat. The worm also spreads through removable media, but again, sound security policy such as disabling AutoRun can address that as well.

With all this in mind, however, users should be wary of scammers abusing search engine results to lure victims to sites with supposed Conficker removal tools.

“If you need malware removal tools, type the URL of your vendor of choice directly into the browser bar and use links on their Website,” blogged Rik Ferguson, solutions architect for Trend Micro. “Do not rely on Google search results at this time, as they may have been ‘optimised’ [by attackers].”
Despite all the measures taken against it, the worm has infected millions of PCs, although those infections are not distributed evenly around the globe.

According to IBM Internet Security Systems’ X-Force team, the largest percentage of Conficker-infected PCs—about 44.6 percent—is located in Asia. The next highest is in Europe, which plays host to 31 percent of Conficker-infected PCs. Roughly 6 percent are located in North America.
“[Conficker] really challenges the comprehensive network management practices of an organisation,” said Tom Cross, manager of X-Force research.

“Extremely well-managed networks have not been affected, but if your IT security is deficient in any one of several different domains—inventory management, windows update, intrusion prevention, anti-virus, managed file sharing, strong password policies—you are likely to have problems with Conficker. ”

Cross added, “We are seeing a large number of infections in regions that have seen significant new infrastructure development in the past few years but may not have IT management practices which are as mature, across the board, as they are in the West.”

Despite the apparent calm today, users should remain vigilant: “It may update itself on this date or later but … it will happen in the near term because time is the author’s enemy,” said Alfred Huger, vice president of development for Symantec Security Response. “The longer the threat is resident the more likely it will be removed. In this instance the author is highly [motivated] to move quickly. The near term though could be any time in the next month or two.”