Six long years ago, the SQL Slammer worm began its inglorious travels across the Internet, infecting machines whose owners had neglected to install a patch that had been issued by Microsoft six months earlier. Since that time, Microsoft has dramatically overhauled the way it integrates security into its products and provides security updates to customers. But it's amazing how history repeats itself. This week, on Wednesday, April 1, another computer worm, this one targeting numerous modern Windows versions, will trigger an attack of some sort on the world, ushering in what I'm sure will be a new generation of security changes around the industry.
The worm, dubbed Conficker (a German melding of "configure" and an obscene phrase), has security experts looking about as confused and useless as so-called economic experts in the face of the current financial crisis. It's really a series of worms, all variants of the same code base, which have been released over time. Estimates place the number of PCs and servers compromised so far at about 10 million machines in over 150 different countries (with 3 million in China alone). The worm is scheduled to do ... something ... on April 1.
Here's the thing: As with SQL Slammer, Conficker exploits a vulnerability that has already been patched by Microsoft. In fact, it was patched last October as part of Microsoft Security Bulletin MS08-067 (see URL below). But according to security experts, up to 30 percent of all Windows machines worldwide are still not protected against this vulnerability. (It was around 50 percent at the end of 2008.) And as with SQL Slammer, Conficker's origins lie in previously-created proof-of-concept code, in this case an open-source penetration-testing tool.
Conficker is serious stuff, especially the latest "C" variant. It infects unpatched computers, spreads via network shares and removable storage as well as its own peer-to-peer functionality, then shuts down the computer's ability to download and install legitimate security patches. But the scariest part is that Conficker C is going to trigger, well, something -- on April 1.
On that date, 500 of an estimated 50,000 domains will be contacted by infected machines and given some kind of instruction. It could be an updated version of the worm, other malware, or something else entirely. No one is sure. One thing all security researchers agree on is that Conficker is sophisticated. This isn't some weekend-hacker-kiddie project. Instead, its authors have utilized encryption keys and other advanced techniques that have continually baffled those trying to uncover its secrets.
On the good news front, it's looking less and less like Conficker is going to trigger a massive Denial of Service (DoS) attack on April 1, as was previously feared. In fact, many security watchers now expect the day to pass as quietly as did January 1, 2000, when the world's computers were supposedly going to rise up and battle the humans for supremacy of the earth. (Or something to that effect. I have trouble remembering what all the hubbub was about.)
Part of the positive vibe here is that security researchers have discovered what they believe to be a small flaw in the most recent Conficker version, a rarity given the high quality of the code. This flaw will help administrators recognize Conficker-exploited PCs, something that wasn't previously possible. (Before, PCs afflicted with Conficker appeared to be properly patched.)
And Microsoft has issued a $250,000 bounty to anyone who can provide information that leads to the capture of the person or people responsible for Conficker. So far, there aren't many clues, but law enforcement agencies have suggested the Ukraine as a possible origin. One thing is clear, whoever is responsible for this worm is a criminal mastermind worthy of a James Bond thriller.
The obvious question, of course, is what you should do. Security experts from Microsoft and the major security firms say that the smartest thing you can do is stay up to date with your security updates. The company's Malicious Software Removal Tool can help remove Conficker, as can the Windows Live OneCare Safety Scanner, a free online service. For more information, visit Microsoft’s website and check out Security Bulletin MS08-067.
End of Article
"This week, on Wednesday, April 1, ... will trigger an attack of some sort on the world" - shame on you Paul for propagating this media panic fiction. The fact is that on April 1st (that's already today in Australia) Conficker will just look to twice the number of domains each day for updates & instructions. It was already seeking out 250 domains per day before today. There's no evidence whatsover that malicious activity is more likely to happen today than any other day. I suggest readers have a look at http://www.f-secure.com/weblog/archives/00001636.html for a superb Q&A on the matter and http://lastwatchdog.com/evolution-conficker-globe-spanning-worm/ for a time line of events regarding this worm
duncan_priest March 31, 2009 (Article Rating: )
Good information. To the point and simple to understand.
jimmylandrum April 01, 2009 (Article Rating: )
Why do everybody keep on talking about "computer viruses"? When the only kind of computers that are ever effected in a harmful way is computers running Microsoft Windows.
No one would think of blaming all cars and all car manufacturers, for the faults of a single manufacturer, or a single model.
Keeping the public unaware, of the simple fact that Windows abstinence is the currently only practical way to stay safe, is unethical and almost borderline criminal.
PeyloW April 01, 2009 (Article Rating: )
C'mon Paul. You should be above sensationalism. Don't add to the mass panic and misinformation.
Freeders April 01, 2009 (Article Rating: )
Mr PeyloW if you truly believe that only Windows computers are the ones to get a virus or worm you are ignoring history. Linux, MACs and other UNIX variants have all been at the mercy of worms and viruses in the past. I will agree that Windows computers get most of the attacks but that is because it is the biggest target. If the MAC was biggest it would get the most attacks. The volume of attacks are all based on market share. The crooks will attack who will give the greastest return on effort spent.
rlgreenejr April 01, 2009 (Article Rating: )
Mr PeyloW, they say ignorance is bliss, well I'll bet you're very happy in your belief that you're system is safe. If you ever do feel like spoiling your mood however, just do a search for security vulnerability on the software of your choice...
duncan_priest April 01, 2009 (Article Rating: )
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
)
)
)
Register
duncan_priest March 31, 2009 (Article Rating: