Monday, March 30, 2009

Downadup, Conficker Internet Worm, or Kido: Bad News

Conficker (or Downadup, or Kido) has been in the news since at least January of this year. It's a bit of malware that's infected a huge number of computers. It's apparently going to look for instructions tomorrow, April 1. What those instructions are is anybody's guess. Whoever created this worm may not have decided yet.

I hope it's somebody's idea of a practical joke: but nobody in IT security can take a chance on assuming that.

Conficker? "Where Shall I go? What Shall I Do?"

I'm pretty sure that there are all sorts of websites with spiffy 'anti-Conficker' software. Some of their free products may not contain malware. Me? If you use an IBM clone and/or Windows, I'd check out Microsoft's "Protect yourself from the Conficker computer worm." Along with some fairly simple and easy-to-follow advice, it's got an illustrated explanation of how Conficker works.
Bottom Line: Don't Act Stupid
Microsoft's advice is about the same as what I've read for home users for over a decade:
  • Use anti-virus software
    • Keep it updated
  • Use file-sharing software (and operating system settings) prudently
I'll add a few that I've run into over the years:
  • Don't click on email attachments - unless you know they're really from the trusted person they say they are
    • No kidding - confirm before opening
  • Guys - particularly if you're a middle aged, overweight, balding guy like me:
    • That hot-to-trot total babe is not interested in you
      • Don't open her 'photo' attachment
      • Don't sign up at her website
      • Don't assume that she's human1
  • Two words:
    • Nigerian
    • Scam
  • Get-rich 'business opportunities' aren't
    • The rare exceptions aren't, IMO, worth the risk
Again, bottom line: don't act stupid. The world online is about the same as the 'real' world. There are lots of nice people around: but the bad guys are there, too.

And yes, I know: 'Mac is every so much superior.' Odds are about 87 to 100 that you use Windows, though. (I do not track individual visitors - I've got time for that sort of thing?? - but I do check in on my usage logs now and again. So far this year, about 87% of visitors to my sites and blogs use some flavor of Windows, roughly 10% use Mac in one of its incarnations, and the rest use something else.

Will PC worm turn nasty on April Fool's Day? Good Question

Conficker has been in the news for the last week. Understandably, since we're on a sort of countdown:

"Will PC worm turn nasty on April Fool's Day?"
TimesOnline (March 23, 2009)

"Conficker C is poised to do something with millions of infected PCs on April 1. But no one knows exactly what

"The Conficker C internet worm could strike at infected computers around the world on April 1, a security expert warned on Monday.

"Conficker C is a sophisticated piece of malicious computer software, or malware, that installs itself on a PC hard drive via specially written web pages. It then conceals itself on a computer.

"Graham Cluley, of the security specialist Sophos, confirmed that Conficker C is programmed 'to hunt for new instructions on April 1'. However, he added, 'This does not mean that anything is going to happen, or that the worm is actually going to do anything. Simply, it is scheduled to hunt a wider range of websites for instructions on that date.'

"One strange thing about Conficker C is that no one yet has any idea what it is programmed to do. In February, Mr Cluley told The Times: 'It's as if someone is assembling an army of computers around the world, but hasn’t yet decided where to point them.'

"A worst-case scenario for April 1 would be for all the world's millions of infected computers to receive simultaneous instructions to attack, or to flood the internet with spam e-mail. ..."

Worst-Case Scenario is Just That: Worst-Case

Two things about that last quote from TimesOnline's story:
  • Worst-case scenarios are just that:
    • The worst possible outcome
  • "Simultaneous instructions to attack" doesn't specify what's being attacked
    • There are worse things than not being able to update your blog for a day

Famous Last Words?

"Conficker PC Virus Unlikely to Attack on April Fool's" (Dave's Download) is probably right. The amount of attention Conficker's gotten may have nudged people into installing adequate anti-virus software, and keeping it updated.

One the other hand, I've learned that many fine, likable, worthy people aren't as technically competent as I am: and I'm just a former radio disk jockey, researcher, and list manager who's learned what he needed to know about computers, networks, and the Internet.

By this time, day after tomorrow, Dave LaGesse may very well be able to post a polite, nicely-worded 'I told you so.' I recommend reading the post of his I linked to, by the way: it's got good sense in it.

On the other hand, not all that long ago competent engineers were quite certain that the White Star Line's new ship was extraordinarily seaworthy. The Titanic sank, anyway.

IT People Need to Keep Up With the Times

If you're reading this, you've probably got a computer and use the Internet. "Conficker demonstrates complexity of IT security (CNET) is something I'd recommend reading. Among other things, it reminds us that flash drives can carry malware. Device authentication and port blocking isn't something most home users need to worry about - but I could be wrong about that.

I use flash drives myself - but my protections are more a matter of keeping the drives physically secure, and making sure that I keep track of what's put on, and what's stored on, the drives.

They're Only Human - - -

"Conficker flaw reveals which computers are infected"
CNET (March 30, 2009)

"Even worm creators write buggy software.

"Once it infects a computer, the Conficker worm closes the hole in Windows that it used to get onto the system so no other malware can get in. This also makes it difficult for organizations to detect which computers have the legitimate Microsoft patch and which have the fake Conficker patch.

"However, Conficker's 'patch' has a weakness that can be used to distinguish between patched computers and infected computers that look patched, according to the nonprofit Honeynet Project. [CNET link here]

"Some of the researchers have released a proof-of-concept [CNET link here] scanner that can be used to detect Conficker. The tool is being integrated into the free nMap vulnerability scanner, as well as scanning tools from companies including Qualys, nCircle, and Tenable. The tools are designed for use by network administrators at companies and not consumer users...."

Good news. Dave's Download may be right.

Previous post: In the news:
1 The woman in the 'come hither' photo may be real. There's a distinct possibility that the system you're dealing with is automated, though. It's not all that difficult to write programs to handle relatively simple conversations of the 'hi, sailor' variety.

The 'photo' itself may be digital from the get-go. At low resolutions, it's quite possible to set up a 3D simulation that looks very real.

2 comments:

coffee maker said...

It's good at least that there was advance warning for the Conficker worm; i'm sure a lot of people were spared a lot of hardship because of this

Brian, aka Nanoc, aka Norski said...

coffee maker,

Agreed. I'd much rather have (well-informed) advance warning/notice, than be kept in the dark.

One of the well-done aspects of the Conficker warnings that I saw was that many of them had specific action that users could take (and not just 'click here to get your computer infected' links.

Unique, innovative candles

Visit us online:
Spiral Light CandleFind a Retailer
Spiral Light Candle online store

Pinterest: From the Man Behind the Lemming

Top 10 Most-Viewed Posts

Today's News! Some of it, anyway

Actually, some of yesterday's news may be here. Or maybe last week's.
The software and science stuff might still be interesting, though. Or not.
The Lemming thinks it's interesting: Your experience may vary.
("Following" list moved here, after Blogger changed formats)

Who Follows the Lemming?

WebSTAT

Family Blogs - Blog Catalog Blog Directory