Not all April Fool Jokes are Funny: Conficker Malware Threat

April Fool’s Day worm starts its countdown, security vendors are cautioning users that if they’ve implemented basic security on your home computer or network, they’ll be fine.

Others, however, face risk from a worm that’s spread rapidly and without a clear indication of its purpose, they told InternetNews.com.

"It’s important for users to apply the known, basic, common-sense steps to protect themselves, even in light of increasing and increasingly sophisticated attacks," said Jenko Hwong, director of security products for security appliance vendor Mirapoint. "Conficker.C and April 1st won’t bring Armageddon."
For most users, that involves using up-do-date software and security tools.

"If you have a legal copy of Microsoft Windows, you have invested ... in antivirus software, or you pay your service provider for secured Internet access -- most likely you are safe," said Ron Meyran, product manager for security for application delivery and network security vendor Radware. "The same applies for enterprise networks: Your corporate policy should cover such cases."

Nevertheless, the worm has still managed to spread widely. David Perry, global director of education at antivirus firm Trend Micro, told Internetnews.com several months ago that he believes about 10 million PCs have been hit.

Many of the infected PCs are inadequately defended. "If you run an illegal copy of Windows, your antivirus (if any) is a freeware, you are a DSL or cable subscriber and you never disconnect -- then you are the ideal target for self propagating viruses such as Conficker," Radware’s Meyran said.

"And it will not be he first time your computer is recruited into a botnet, he said. "In fact, there is a good chance that you already host malware of more than one botnet."

Owners of many infected PCs won’t know they’re infected until April 1, added Trend Micro’s Perry. "It’s hard to spot Conficker’s work."

Experts don’t know what the worm will do on April 1, but they have some educated guesses. Tal Golan, founder and CTO of antispam appliance vendor Sendio, said that the worm will likely send out e-mail containing spam or malware, but that the e-mail will be a "smoke screen masking the real targets of the worm or virus."

All of the experts that InternetNews.com contacted agreed that Conficker’s spread shows that many organizations are not up to date on their patches: The worm exploits a well-known vulnerability, published by Microsoft on Oct. 23, 2008. Anyone who applied the necessary patches since then is safe.

Security experts urged users who suspect they’re infected to scan their PCs. Trend Micro’s Perry recommended using security software based in the cloud, such as his company’s Trend Micro Smart Protection Network for enterprise users. The company also offers a Web-based scanning service called House Call for home users.

Radware’s Meyran said that one sign you’re infected could be if some Windows system services have been disabled on your PC.

The worm might be visible to any user: "It connects to a remote server in order to receive further instructions such as gathering personal information and downloading additional malware to the victim’s computer. It also disables a number of system services such as Windows Automatic Update, Windows Security Center and Windows Defender -- all to prevent disinfection."

Author: Alex Goldman
Source: InternetNews.com.

Updates 03-31-09:

Note that the vulnerability hole was fixed in October 2008 by Microsoft, but if your computer doesn't get automatic updates from Microsoft and you have not performed them manually for a while, your computer could be affected.

Try to update all the Microsoft updates first. If you see that you cannot perform them automatically, your computer might be already affected by the worm, who prevented you from healing your PC. If so, you will need to apply the medicine manually. Visit Microsoft explanation website http://technet.microsoft.com/en-us/security/dd452420.aspx and download Microsoft® Windows® Malicious Software Removal Tool (KB890830) on your Hard Drive. Run it and perform the Quick scan first. If at the first glance, you PC looks clean, ensure the fact by running full scan. Depending on how large your HDD, this scan might take from an hour to several hours. So be patient.

Free Avast Anti Virus

We have a guest blogger today! It is Rudy, my virtual friend from YouSayToo Community. He will present the article on the very useful free antivirus program - Avast!

After having a little problem with AVG 8 free edition, I thought it was a good chance for me to try a new free antivirus from ALWIL Software based in Prague, Czech Republic. As a matter of fact, I was very happy with AVG 8 until it displayed a warning box telling me that "avgscanx.exe" had a problem during full scan. The scanning itself was stopped or interrupted and not completed. I could not find why this happened whenever a full scan was executed.

The brand new replacement was Avast Antivirus 4 Home Edition which is free for non commercial and home use only. The package already includes anti-spyware protection and anti-rootkit detection as explained in its home website athttp://www.avast.com/. But you have to register and get a licence key in order to use it for one year period. After one year, it will expire and you have to re-register again.

The product has On-Access Scanner with 7 "providers" as follows:

1. Instant Messaging: "While chat itself would not impose any serious security risks in terms of viruses, today’s IM applications are far from being just chatting tools: most of them support more or less sophisticated file sharing methods - which may quite easily lead to virus infections, if not properly monitored."
   
2. Internet Mail: It is supposed to scan all incoming and outcoming e-mail when I use Outlook Express as explain in their website, ie: "it is a generic scanner working on the SMTP/POP3/IMAP4/NNTP protocol level. It is capable of protecting any existing e-mail client that uses these protocols". But it seems that I cannot get my Outlook Express working well. You can see from Comodo Firewall Active Connection List depicted below that there are 4 open ports for these feature, ie: 12025 (SMTP), 12110 (POP3), 12119 and 12143. I use Gmail and Yahoo Mail which use SSL with port 465 (SMTP) and 995 (POP3) to connect to their servers. I try to use 12025 and 12110 for connection between Outlook Express and Avast but it fails. So that is the end. I cannot find alternatives. Maybe someone on the net can tell me :-)
   
3. Network Shield: "This module provides protection against known Internet worms/attacks. It analyses all network traffic and scans it for malicious contents. It can be viewed as a lightweight firewall (or more precisely, an IDS - Intrusion Detection System)."
   
4. P2P Shield: "The P2P protection module doesn’t need much explanation - on today’s P2P networks (such as Kazaa) there are thousands of infected files, and an effective protection is a must."
   
5. Standard Shield: "File system protection ensures that no virus will be started on the computer. It offers a wide range of settings, such as the possibility to specify that files will be scanned during copying, or that the scanning will include files with given set of extensions only."
   
6. Web Shield: "Web Shield is a unique feature of avast! that enables it to monitor and filter all HTTP traffic coming from the Web sites on the Internet. Since an increasing number of viruses (and other malware, such as adware, spyware and dialers) are being distributed via the World Wide Web, the need for an effective countermeasures has also increased. The Web Shield acts as a transparent HTTP proxy and is compatible with all major web browsers, including Microsoft Internet Explorer, FireFox, Mozilla and Opera." It is good to have this feature but if you set its sensitivity to "high", the performance of web browser will be low. It shows the pages slowly. Therefore I set it to "normal" in order to show web pages faster. All HTTP connections at port 80 are intercepted and scanned by Avast. I still set the proxy setting in Firefox to "No Proxy"and the interception stil works.
   
7. (Microsoft) Outlook / Exchange: I turn it off. It only works for Microsoft Outlook (not Outlook Express) and Microsoft Exchange only.

Conclusion: I like all the features available in Avast with some setting adjustment but unfortunately its e-mail scanner cannot work with SSL for Gmail or Yahoo Mail. Therefore I rely completely on Gmail and Yahoo virus scanner to do that (if only the Gmail or Yahoo virus scanner is also active for their POP mail?). Because Avast e-mail scanner is useless for me, I would turn it off later.
That’s it for now. Please let me know your comments or suggestion to share with us... Thanks!

The article originally was published on Rudy’s blog Dummy Review.