3.5 Million Computers Infected by Conficker Worm

Updated 1/21/09


A worm originally designed to target a vulnerability closed by Microsoft's MS08-067 is spreading so rapidly that some security researchers are calling the spread "an epidemic."

Conficker, also known as Kido and Downadup, is spreading via network shares, removable media devices, and weak administrator passwords. Some of the newer variants are finding improved ways to hop onto networks worldwide. ZDNet is reporting that up to 3.5 million computers may be infected.

MS08-067 was released in October 2008, and there's absolutely no good reason for the patch not having been deployed three months later. At the very least, firms should have implemented one of the workarounds recommended by Microsoft if there was concern that applying the patch would cause production outages.

The root vulnerability is in Microsoft's Server service, where the service does not properly handle specially crafted RPC requests. An attacker who successfully exploits the vulnerability can take complete control of the attacked system.

McAfee reports that the latest samples they’ve analyzed are exploiting only English language OS versions, due to an OS fingerprinting feature within a Metasploit exploit designed by creators of the worm.

If you're part of the bunch who has not yet rolled out MS08-067, or if you have not yet validated that the patched systems have been rebooted to ensure the patching process has completed properly, my recommendation is that you get on it immediately.

You can also reference the bulletin for information on how to validate your systems have either the updated file version or registry key to indicate successful patch installation.

Most antivirus products have signatures for the known variants, but as this continues to morph and grow, there may be periods where AV protection is not available. Play it safe and install the patch.

UPDATE 1/21/09 - well, this certainly has been a virulent little rascal. Estimates now place the number of compromised machines at 8.9 million and growing. The scary part is that we haven't even seen the payload delivered yet, so we don't know what will occur when the time comes to leverage the compromised computers.


There are a couple of ways to protect yourself.

1. Apply the MS08-067 patch ASAP.
2. Disable autorun capabilities so an infected CD or USB drive won't attack you when it is loaded. You can Google "disable autorun" to find out how to do that on your OS - sorry, but I won't assist you in corrupting your registry in the name of security.
   
3. Don't use weak or common passwords, especially for administrator passwords, and change your passwords occasionally. Passphrases remain better than passwords - it's harder to break ILikeStinkyCheese that it is nimda (admin spelled backward). Conficker has a dictionary of frequently used passwords that it uses to brute force attack in an attempt to guess the password. You may want to consider enabling account lockout thresholds after a certain number of unsuccessful attempts, but consider the fact that you may cause a denial of service condition on yourself if you do get attacked.
4. If infected, download the F-Secure removal tool.