Friday, March 27, 2009

Conficker Information for the Home Computer User

This message about Conficker is not for people in the security industry. It is directed to the home computer user.

Is the Internet coming to the end on April 1? Will your computer crash and burn if you are online on that day?

The answer to both questions is NO.

Has there been a lot of hype about Conficker and April 1? Yes, there has and it will likely continue. Earlier this week I added to the Conficker hype in Time is of the essence. Why am I concerned about the health of your computer? Consider the known capabilities of the current Conficker variants, as described at Security Focus,
". . . the worm program blocks security software, distributes code by creating a peer-to-peer network, and attempts to prevent anyone but the authors from updating its code by authenticating updates using a hash algorithm — known as MD6 — that is only a few months old. The collection of those capabilities worried the researchers."
With that in mind, there is reason to worry if you or your friends have file sharing turned on, use P2P (Peer to Peer) programs, or share information via USB (thumb) drives.

Let's start with file sharing

If you have file-sharing turned on and become infected, the Conficker worm could allow remote code execution. In other words, the worm would take control of your computer. Microsoft KB Article 307874 includes instructions for turning off file sharing. Also available is a Microsoft Fix it to make the change for you.

Disable Autorun

USB/thumb drives use autorun to load files when the drives are plugged into the USB port. To prevent malware from spreading to your computer, disable autorun. The How-to Geek has simple instructions for disabling autorun on both Windows XP and Windows Vista:
This from Microsoft: How to disable the Autorun functionality in Windows

Other reasons to be concerned is the state of security protection.

Check Security Updates

Although it is recommended that all security updates be installed on your computer, at a minimum, ensure that "Security Update for Microsoft Windows (KB95688)" is installed:
  • Windows XP: Start > Windows Update > Other options > View installation history
  • Windows Vista: Programs > Programs and Features > Installed Updates
In the event you cannot find that update installed on the computer, go to Security Bulletin MS08-067 and click the link for your operating system to be redirected to the download location.


Surprisingly, there are still too many people on the internet without a software firewall. If this is true for your computer, at a minimum, activate the Windows Firewall. For help with this, go to How can I turn on or turn off the firewall in Windows XP Service Pack 2 or later versions?

Antivirus Software

Both Avast! and Avira AntiVir are free for personal use. If you do not have an antivirus software, install one now.

Pay It Forward

Conficker has affected the operation of hospitals, military, large corporate systems, and even the House of Commons. (There is a long list of articles below from The Register if you are interested in the extent of the impact of the various variants of this worm.) New readers of Security Garden may not be familiar with "Pay It Forward:
"3 people helped each day, ‘paid forward’ by each person helps 4.7M people in two weeks."
If each Security Garden reader checks with one or two of their friends and they in turn check with their friends, to make sure the computer(s) in their home have file sharing disabled, are updated, have a firewall and up to date antivirus software, worms like Conficker will have less of a chance of spreading.

Whether it is the best or worst case scenario as depicted at Security Focus, don't let your friends be part of this:

" 'In the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," wrote Phillip Porras, Hassen Saidi and Vinod Yegneswaran, all of SRI International. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt, not just countries, but the Internet itself.' "

Help from Microsoft:

For the curious who are interested in additional reading on the history of Conficker, the articles from The Register paint quite a picture from November through March:

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...


Phill said...

Wow. Thanks Corrine. You helped me before on the freedomlist board, so I've been following your blog and taking your advice.

It hasn't been a good few months for security (At least not for me), hopefully this will help, and I'm planning to send it to my friends as well.

Have you heard anything about scanner . avbest . info? (without spaces) Apparently a lot of people (myself included) got their browsers hijacked and forced to download something from it yesterday. I unplugged my computer from the net when it wouldn't go away, and the antivirus didn't find anything, but I am scanning with MBAM today to see if anything was compromised.

Thanks again,

Corrine said...

Hi, Phill. You are welcome.

There isn't much (in English) showing up on a search for avbest. If you are having security issues with your computer after the MBAM scan, why not create a new topic at FL and post a HJT log. Include the results from the MBAM scan.

Phill said...

Nothing came up with the MBAM scan, so I guess I stopped it from downloading anything. Thank you for offering to help again! :)

Ashish said...

Well all I'm gonna say is thanx for not only the entire info provided (with sufficient details)
but more importantly for how to deal in case any security lapses were pre-existent.
Your efforts are really commendable.
Just minutes before now I removed an infection from my system with someone else's help just like yours.The only difference being, "Prevention is better than cure."
Hope you got the point.
Anyways thanks so much.May I request you to keep up the good work.

coffee fiend said...

ironically, even if someone used Conficker to steal my credit card info, there wouldn't be any credit there for them to exploit or spend

dave beall said...

This is all real nice, but exactly where is this file located in the xp system? And maybe even the file names that are suspect.. just asking, so I can go in and get them out. Lets make this easy.

alarm system said...

very useful and interesting information.