Conficker Worm Update
The internet worm known as Conficker (aka Downadup) has been in the news recently because it is widespread and set to update itself on April 1, 2009. We want to provide information about Conficker, provide recommendations to help prevent or contain it, and let you know what actions Network Security is taking on our campus.
What is Conficker?
Conficker is an internet worm that attacks Microsoft Windows. A worm is malicious software that has the ability to propagate itself across a network by locating and attacking vulnerable systems. A worm does not require any action from a computer user.
Once a system is infected with Conficker that system joins a botnet -- a network of infected computers that are controlled remotely by criminals who can then use infected systems for their own purposes. Many news reports have led people to expect something catastrophic on April 1, 2009; however, the significance of that date is simply that infected hosts will start using an expanded list of download locations to get updates. Conficker has always been able to update itself through simple download as well as peer-to-peer.
In short, experts believe there is no reason to panic on April 1.
Prevention
The good news is that protecting computers from Conficker is actually quite simple. All the recommended steps are standard security recommendations for any system. The most important step is to apply Microsoft security updates via Windows Update.
Conficker attacks the Microsoft Windows Server service via port 445. The vulnerability is described in Microsoft Security Bulletin MS08-067. Microsoft released the MS08-067 patch in October 2008. The patch was marked "Critical" so machines that use typical Windows Updates settings should already be patched and protected against Conficker.
If you are unsure if you are patched simply run Windows Update from the Start Menu.
Other important steps to take:
- Update your antivirus database (most up-to-date software can identify Conficker). The University of Chicago has a site license for McAfee.
- Disable autorun. This step is important if you use potentially insecure removable media, such as USB thumb drives, or if you connect to insecure network file shares. To temporarily disable autorun when plugging in a USB drive: press and hold down the Shift key until you see a message from Windows that the device is ready.
- One variant of Conficker attempts to login to the ADMIN$ share so use a strong password.
System administrators can employ Group Policy to enforce these steps.
To check if your computer is infected you can quickly and easily do so using the Conficker Eye Chart, which cleverly utilizes the fact that Conficker blocks access to certain web sites.
Security on University of Chicago Network
The campus Network Security Center is proactively identifying infected hosts by scanning all computers on the network, monitoring network traffic for Conficker behavior, and working with third party services that report possible Conficker-infected systems that have been identified by other security teams.
We have found and removed Conficker-infected computers on our network but currently the scale is significantly smaller than the scale of infection seen across the Internet.
Last updated: 4/1/09