- Oct 31, 1999
- 30,699
- 1
- 0
The worm known as Conficker.B, Downadup and Net-Worm.Win32.Kido is getting a lot of press coverage at the moment. F-Secure estimates the number of infections at nearly 10 million, which makes for great headlines 
So what's it all about?
Worm behaviors, and prevention countermeasures
If you have a system that might be infected, and it won't let you get to any security-related sites, Microsoft has suggestions on this page in the Recovery section, including full manual removal, or by downloading and running the Malicious Software Removal Tool, which you can run from a CD if necessary.
Kaspersky Lab also has a specialized malware-removal tool that targets this family of worms: http://support.kaspersky.com/faq/?qid=193238496
If you need to bring in the bigger guns, try these bootable scanning CDs:
[*]AntiVir / Avira's free Rescue CD maker makes a bootable malware-scanning disc.
[*]F-Secure's free Rescue CD is available in .ISO format, burn it to CD using the burner software of your choice.
Before you attempt a removal, it's prudent to back up any important stuff: music, documents, emails, contacts, photos, etc. Also fix the underlying problem that allowed infection to occur in the first place, so it doesn't happen again.
In-depth information on Conficker.B / Downadup / Net-Worm.Win32.Kido
Symantec has a good write-up on this worm: http://www.symantec.com/busine...123015-3826-99&tabid=2 Symantec has also created a removal tool.
Microsoft's malware-prevention crew also has an overview and commentary: http://blogs.technet.com/mmpc/...icker-and-banload.aspx
F-Secure describes the interesting social-engineering work that went into the worm's AutoRun labelling. Even if automatic execution failed, people could easily be duped by this crafty tactic: http://www.f-secure.com/weblog/archives/00001586.html
*Beginning with WinXP SP2, it's not possible to authenticate remotely, or elevate using Runas, with a blank password. Furthermore, the default password for the Administrator account is blank. Normal setups of Windows XP don't show the actual Administrator account anyway, unless you boot in Safe Mode, so it's not likely you've been using it yourself. On Vista, it's completely disabled by default.
If you'd like to set a strong password on the Administrator account anyway, right-click Computer or My Computer, choose Manage to open Computer Management, and you can set the password by right-clicking the account's name in System Tools > Local Users and Groups > Users.
**to fully enable Data Execution Prevention for all software, right-click My Computer on the desktop screen or the Start menu, choose Properties (and then click System Protection if you have Windows Vista), and then do what's shown in this picture.
So what's it all about?Worm behaviors, and prevention countermeasures
- It's a network worm
Conficker.B / Downadup / Kido is one of countless thousands of network worms that'll try to spread from one computer to another on the local area network, without human intervention. It has a couple methods of spreading on the network:
- The MS08-067 vulnerability This vulnerability was patched last year. If your Windows installation still doesn't have the patch, and its firewall is permitting ports 139/445 (file & print sharing, etc), then this attack could succeed if you have an infected computer on your local area network.
Solution:
- Patch your system. While you're at it, check your system with Secunia's free online or installable vulnerability checkups to fix vulnerabilities in third-party software like Adobe Flash Player, Adobe Reader, QuickTime, RealPlayer, Skype, etc.
- Ensure your firewall is turned ON and has no unnecessary ports open, especially if you don't control the network and the computers on it (e.g. public WiFi, LAN party, etc). If you use the Windows Firewall, you can check the "Don't allow exceptions" or "Block all incoming connections" checkboxes for WinXP or Windows Vista, respectively; or review your open ports on the "Exceptions" tab in the Windows Firewall panel :camera:.
- If you have a wireless access point, prevent unauthorized computers from connecting to it, by enabling encryption (preferably WPA2 or WPA); and by enabling your wireless access point's MAC-address filter, so only your own computers can connect to it.
- Fully enable your system's Data Execution Prevention for all software.** I'm not sure if this will mitigate the MS08-067 vulnerability, but it's a good idea in general.
- Patch your system. While you're at it, check your system with Secunia's free online or installable vulnerability checkups to fix vulnerabilities in third-party software like Adobe Flash Player, Adobe Reader, QuickTime, RealPlayer, Skype, etc.
- Brute-force attack on your administrative shares (or open shares) The Conficker.B / Downadup /Kido worm will attempt to connect to & infect other computers on the local area network, starting with the credentials of the logged-on user, then by using the usernames found on the target system, and a long list of weak passwords that people might use for convenience. This is an age-old tactic used by network worms. If you have open shares, then no brute-forcing will be necessary if they're accessible to the infected system.
Solution:
- On WinXP SP2 or later, either leave the Administrator account's password blank*, or make it a strong password that contains a mix of upper-case, lower-case, numerals and symbols, e.g. I'mL33t!!!. If you maintain a computer fleet, definitely set strong passwords on the systems' Administrator-class accounts, and also on your Domain Administrator accounts. Absolutely do not log onto any computer as a Domain Administrator unless it is clean, and even then, only if you ABSOLUTELY have no other option.
- Scan your system with the free Microsoft Baseline Security Analyzer, which will check for weak passwords, report shares on the system, show missing updates, and alert you to other security/configuration issues in Microsoft software.
- Also use a software firewall and up-to-date antivirus software.
- On WinXP SP2 or later, either leave the Administrator account's password blank*, or make it a strong password that contains a mix of upper-case, lower-case, numerals and symbols, e.g. I'mL33t!!!. If you maintain a computer fleet, definitely set strong passwords on the systems' Administrator-class accounts, and also on your Domain Administrator accounts. Absolutely do not log onto any computer as a Domain Administrator unless it is clean, and even then, only if you ABSOLUTELY have no other option.
- The MS08-067 vulnerability This vulnerability was patched last year. If your Windows installation still doesn't have the patch, and its firewall is permitting ports 139/445 (file & print sharing, etc), then this attack could succeed if you have an infected computer on your local area network.
- It's an AutoRun worm that infects USB drives, etc
Conficker.B / Downadup / Net-Worm.Win32.Kido is also one of the countless worms that infects portable drives, memory cards, and other USB/Firewire devices that can store data. If the system is configured to AutoRun devices when they're plugged in, these types of worms may be able to run without further help when someone plugs in an infected device, depending on the version of Windows and how it's been configured.
Solution:
- As a blanket defense, disable or restrict AutoPlay on a permanent basis. As Chiefcrowe pointed out, some methods are not 100% guaranteed, so if you need to be extra-sure, here's Microsoft's definitive guide on the subject. The U.S. CERT has a quick-&-dirty method that they suggest, too.
- Software Restriction Policy is another viable defense when set up as shown, because it will arbitrarily prevent anything from executing from external drives, CDs and DVDs (which can also be infected by various worms).
- If you cannot use SRP, then using a non-Admin user account will still neutralize this attack vector due to lack of Admin powers that Conficker requires to infect the system and tamper with system security.
- Up-to-date antivirus software also helps, both as a final defensive layer, and as an alert that you have an infected device on your hands.
Also, be aware of the persistent risk of plugging your devices into other peoples' computers, and vice versa. If you're managing computers in a business situation, consider sending out a heads-up to the employees to remind them about any company policy you have regarding flash drives, MP3 players, digital picture frames, cameras, burned CDs/DVDs, and so forth. - As a blanket defense, disable or restrict AutoPlay on a permanent basis. As Chiefcrowe pointed out, some methods are not 100% guaranteed, so if you need to be extra-sure, here's Microsoft's definitive guide on the subject. The U.S. CERT has a quick-&-dirty method that they suggest, too.
- If your system is vulnerable to this worm because you haven't patched the MS08-067 vulnerability and have open firewall ports, then you're three months behind on your Windows patching... c'mon, get with the program!
- If your system is vulnerable to this worm due to the other methods of attack, then your system is vulnerable to countless other worms as well (past, present and future). Take action to eliminate or mitigate those attack vectors before there's a problem.
- Real-time antivirus protection certainly can help, although I always prefer to have other proactive layers of defense stop the attack before antivirus protection has to make the save.
If you have a system that might be infected, and it won't let you get to any security-related sites, Microsoft has suggestions on this page in the Recovery section, including full manual removal, or by downloading and running the Malicious Software Removal Tool, which you can run from a CD if necessary.
Kaspersky Lab also has a specialized malware-removal tool that targets this family of worms: http://support.kaspersky.com/faq/?qid=193238496
If you need to bring in the bigger guns, try these bootable scanning CDs:
[*]AntiVir / Avira's free Rescue CD maker makes a bootable malware-scanning disc.
[*]F-Secure's free Rescue CD is available in .ISO format, burn it to CD using the burner software of your choice.
Before you attempt a removal, it's prudent to back up any important stuff: music, documents, emails, contacts, photos, etc. Also fix the underlying problem that allowed infection to occur in the first place, so it doesn't happen again.
In-depth information on Conficker.B / Downadup / Net-Worm.Win32.Kido
Symantec has a good write-up on this worm: http://www.symantec.com/busine...123015-3826-99&tabid=2 Symantec has also created a removal tool.
Microsoft's malware-prevention crew also has an overview and commentary: http://blogs.technet.com/mmpc/...icker-and-banload.aspx
F-Secure describes the interesting social-engineering work that went into the worm's AutoRun labelling. Even if automatic execution failed, people could easily be duped by this crafty tactic: http://www.f-secure.com/weblog/archives/00001586.html
*Beginning with WinXP SP2, it's not possible to authenticate remotely, or elevate using Runas, with a blank password. Furthermore, the default password for the Administrator account is blank. Normal setups of Windows XP don't show the actual Administrator account anyway, unless you boot in Safe Mode, so it's not likely you've been using it yourself. On Vista, it's completely disabled by default.
If you'd like to set a strong password on the Administrator account anyway, right-click Computer or My Computer, choose Manage to open Computer Management, and you can set the password by right-clicking the account's name in System Tools > Local Users and Groups > Users.
**to fully enable Data Execution Prevention for all software, right-click My Computer on the desktop screen or the Start menu, choose Properties (and then click System Protection if you have Windows Vista), and then do what's shown in this picture.
Facebook
Twitter