Subscribe

Don't be an April fool


Johannesburg, 01 Apr 2009

Malware that infected millions of machines last year, known as Downadup or the Conficker worm, is expected to run an update today that could prevent essential computing tasks.

Security experts are calling Conficker one of the most advanced pieces of malware in existence. Security pre-sales consultant at Symantec Grant Brown says: “It is a true advanced blended threat that requires protection on multiple layers.”

According to Brown, the Conficker worm is expected to start taking steps to protect itself today. “Machines infected with the 'C' variant of the worm may not be able to get security updates or patches from Microsoft and from many other vendors. The creators of the worm will also start using a communications system that is more difficult for security researchers to interrupt.”

By January, nine million machines had been affected by the malware although researchers and security specialists say that figure is down to between one million and two million.

The Conficker worm was designed to exploit a Microsoft Windows vulnerability, which Brown says was patched by the software company in October with MS08-067. He also says there is no need to panic. “We don't expect anything drastic to happen to the computing world on 1 April 2009.”

Indeed, Australia has already hit the time frame and, according to reports from the country, the mass payload has not yet become the next millennium scare.

What to do

However, Symantec suggests consumers and businesses alike take steps to prevent being a victim of the updated worm. Brown says users must run the patch released by Microsoft immediately and make sure anti-virus definitions are updated.

“Symantec also recommends that users ensure their network passwords are strong to prevent this worm from spreading via weak administrator passwords,” he adds.

He notes there is reason to believe the Conficker worm was initially propagated through free online virus scans that run as Web pop-ups and Symantec advises users not to use them.

Brown says multiple protection levels are advisable and users should make use of all security options they have. This should include regularly updated anti-virus, firewalls, intrusion detection, and intrusion protection systems on client systems.

Businesses have a far larger task than the regular consumer. Brown explains that IT departments should consider implementing network compliance solutions that will help keep infected mobile users out of the network and disinfect them before rejoining the network.

They should also set up password policies that will force users to choose strong passwords. Also, configure mail servers to block or remove e-mail that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PI F, and .SCR files.

SA targeted

What sets Conficker apart from other malware is that it contains the ability to update itself or receive additional files for execution. This has apparently happened three times already, with the fourth expected tonight.

Conficker generates a list of 250 new domains, with the new variant generating over 50 000 domains to connect to every day. Any one of these domains could potentially contain an update that, if downloaded, would allow the threat to perform further malicious actions.

No one knows what the malware authors will do with the next update. “Not only that, but the threat contained its own peer-to-peer updating mechanism, allowing one infected computer to update another.”

SA has been one of the countries with a high infection rate, although Brown does not have specific figures. “SA ranks high on the malicious activity lists and this is primarily due to our growing broadband infrastructure. In terms of detection rates for the Conficker/Downadup worm, SA and Egypt currently lead in Africa.”

Share