The "no bull" guide to Conficker
[UPDATE: I've posted a piece looking at the latest Conficker.E update.]
I usually have a pretty good idea of how widespread a particular piece of malware is by the number of incidents of infection (or reports of infection) that I come across. But when it comes to the Conficker worm (aka Downadup or Kido), I get the feeling that while there's a lot of hype surrounding this latest bit of malware, actual infections are much lower than some would want you to believe. However, over the past few days the number of enquires I'm getting in relation to Conficker has skyrocketed, so to try to answer people's questions, and calm people's fears, I've put together a quick "no bull" guide to Conficker.
Some antivirus companies love to hype malware because it's a great way to sell security products. While Conficker isn't new (it's been around since November last year), the April 1st trigger date gives security firms the opportunity to ratchet up the hype a couple of more notches (and help drive concerned users straight into the hands of cybercriminals). However, it's important to note that it's unclear right now as to what will happen come the trigger date. However, what is clear is that you will need to be infected to be at risk of anything happening at all.
It seems that more than half of all Conficker infections are confined to PCs in China, Brazil, Russia, India, and Argentina, so folks in the US and Europe have dodged the bullet ... mostly. Given the relatively low number of Conficker infections that I've come across, I'd say that the research is spot on.
If you're running a fully patched system, then you've got little to be worried about. If you're running an antivirus program, then you've got a second line of defense. If you're worried, run a scan with a detection tool (links below). Better to be safe than sorry. Conficker can spread via network shares, leveaging weak passwords, so if you can't trust the systems you're connected to, and you know you're using weak passwords, then your risk of being infected is elevated. Also, Conficker can spread via removable drives by taking advantage of Windows autoplay.
If you're running a bootleg copy of Windows that's not patched properly, or you've been neglecting to patch up (the security bulletin that's important here is MS08-067) then there's a small chance that you could be infected. If you're worried, run a system scan using one of the following tools:
- AhnLab
- ESET
- Kaspersky
- F-Secure Malware Removal Tool
- McAfee
- Microsoft Malicious Software Removal Tool
- Sophos
- Sunbelt Software
- Symantec FixDownadup.exe Notes
- TrendMicro
If you're having trouble accessing any of the above links then that could be an indicator that you're infected because Conficker (specifically Conficker.C) incorporates a domain blocker to prevent infected users from getting help (even accessing Windows Update and Microsoft Update). It's now important that you use an uninfected PC to download a Conficker removal tool onto a USB drive and clean up the infected PC. Alternatively, you can visit a site run by security firm BitDefender that is, as of the time of writing, not blocked (this site could be added to Conficker's block list at any time, so there are no guarantees that it will remain open to those who are infected).
After cleaning up the PC, apply the patch and then get on with the rest of your life.
Bottom line ... Don't panic!