A Conficker Worm Primer
What is it? The Conficker worm (aka Downadup) is a Windows worm that can infect your computer, automatically spreading to other computers across a network. To date, the worm has spread to as many as 10 million machines around the world. The worm has an automated update capability and, once it’s installed on a system, it disables anti-virus and Windows updates and attempts to spread to other PCs.
How does it work? The worm spreads in three major ways. The first is through a specific Microsoft vulnerability (dubbed MS08-067). It scans for specific hosts—located on TCP port 445—and attacks them once it finds such a host. It can also spread over USB devices using the AutoRun feature, opening file shares by guessing account names and passwords.
Should you be worried? If your computer is up-to-date with the latest security updates and antivirus software, you likely don’t have the Conficker worm. In February, Microsoft (MSFT) announced a collaborative effort—called the Conficker Working Group—between Microsoft, global technology industry leaders, and academics, to implement a coordinated, global response to the threat posed by Conficker.
How can you prevent it? Installing the patch (MS08-067) and keeping your anti-virus software updated is the best prevention. Also, look at rolling out Microsoft’s new tool to disable the AutoRun feature. If you have an infestation, you may have to resort to rolling out a Conficker removal tool, available for free from Microsoft and all major anti-virus companies, to the hosts using a custom update mechanism. Once you do that, you can update AV and Windows. It’s also a good idea to screen USB devices for signs of carrying the infection.
Jose Nazario Manager of Security Research Arbor Networks Chelmsford, Mass.