Cleaning Conficker: Keeping Your Network Safe from Windows Worm

With infections from the Conficker worm still spreading, the good news is that there are ways to guard against it and clean your machine if you are infected.

The saga that is the Conficker worm began in earnest in November, when Microsoft reported a variant of the worm targeted a flaw in the Windows Server service the company patched in October. Since then, the worm has gone on to infect millions of machines.

The most prolific variant, identified by Microsoft as Win32/Conficker.B, spreads not only through the Windows flaw but also via network shares by logging into machines that use weak passwords. It also spreads by copying itself to removable media, an attack vector that has gained steam in the past year.

So what should users do to protect themselves? There are some answers. First is the obvious – apply the Microsoft patch and ensure your antivirus protection is up-to-date. There are also a number of workarounds for those who for whatever reason are not able to deploy the patch. For example, users can disable the Server and Computer Browsing services and block TCP ports 139 and 445 at the firewall.

In addition, all the major security vendors are able to detect Conficker and remove it.

Beyond the obvious, however, there are several things users can do. First is disabling Windows’ AutoRun functionality. AutoRun is a feature that allows code to run automatically when USB devices are connected to a computer. It has also increasingly been abused by malware authors to propagate their wares.

To disable the feature, users have to import the following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf]
@=”@SYS:DoesNotExist”

Detailed instructions on how to turn off the AutoRun feature can be found here.

As indicated above, Conficker also spreads by copying itself to the ADMIN$ share of the target machine. According to Microsoft, it firsts tries to use the credentials of the user currently logged on, which will work well in environments where the same user account is used for different computers on the network with full administrative rights. If that fails, the worm uses a list of user accounts on the target machine and tries to connect using each user name and a list of weak passwords.

This can be solved by using strong passwords for any user account or file share on the network.

Still, all this leaves the question of what users should clean their machines if they get infected. Conficker takes the additional step of attempting to terminate any process with a name that indicates it is an antivirus program and blocks access to many security vendors’ Web sites as well as Windows update. A list of names the worm recognises is available here.

There are still tools that can be downloaded to remove the malware, however, such as Panda Security’s Active Scan site, which the company says infected machines can still get to.

If you know you are infected and are comfortable doing this, you can also manually remove the malware. Instructions on how to do that can be found here.

Meanwhile, security experts are still speculating what the end-game is for the hackers behind the worm. Some have speculated that they may plan to build a massive botnet; others aren’t so sure.

“We think this is a wide-scale distraction to hide data breaches,” said Ryan Sherstobitoff, chief corporate evangelist for Panda Security. “It does not appear in the variants of Conficker that they are building a botnet, but that wouldn’t surprise us, either. This is an attack we have not seen in some time and is certainly a warning sign for something more to come.”