Conficker (a.k.a Kido, Downup or Downadup) is a worm that has gained notoriety in a very short time. The reason for this is the number of systems infected worldwide. It isn’t clear, exactly how many systems have been infected, but various sources have said it to be somewhere between 3million and 10million, although there have been speculations that the range might be a lot wider than that, with as many as 1 in every 6 systems infected worldwide. According to pretty much every estimate there is, Conficker now has by far the largest botnet in the world.
Conficker typically infects the system by exploiting a buffer overflow vulnerability in the Server Service of Windows, which allows code to be executed remotely. The vulnerability has been patched by Microsoft last year (the patch can be found here). Once inside, the worm will disable a number of Windows services, including Windows Automatic Update, Windows Defender and Windows Security Center. Afterwards it connects to a server, downloads more malware, gathers private information and attaches itself to crucial Windows processes, namely, explorer.exe, services.exe and svchost.exe. Conficker also tries to spread through ADMIN$ shares, by hacking the administrator password through a dictionary attack.
The reason behind Conficker’s success is the algorithm it uses to change domains used to receive instructions. Normally, worms use a few domains, thus making it simple for security companies to block them, which deems them far less detrimental than they would usually be. Since revoking a few domain registrations is useless in fighting Conficker, Kaspersky Labs and OpenDNS botnet protection have teamed up to create a preemptive method of blocking domains. Apparently the people at Kaspersky have studied the worm’s code and found the way Conficker’s algorithm works, which allows them to block domains before they are being used . More information on that can be found here.
At the moment, most anti-spyware and anti-viral software is useless against Conficker, since instead of implementing a separate rootkit, it uses registry permissions. Because of this, manual removal instructions will not work either – registry permissions have to be restored, before registry keys are removed. Symantec, Kaspersky and Microsoft have released removal tools for Conficker, but it is not totally clear just how useful they are.
Until spyware/virus removers have been updated, it seems the most effective way to avoid Conficker infection is to use the registry to block Autorun of external media, use a strong administrator password, use the patch by Microsoft and OpenDNS botnet protection.
How to determine if you are infected with Conficker?
How to interpret:
|This means that your computer is not Infected by Conficker or you are using proxy|
|This means that your computer is probably infected by Conficker (C variant or greater)|
|This means that your computer is probably infected by Conficker B variant|
|Image loading might be turned off in browser|
Conficker blocks access to over 100 antivirus and security related websites.
If you can see all six images in the above table, that means that your computer is not infected by Conficker, or you are using a proxy server. In such case test results will be inaccurate, because Conficker won’t be unable to block you from viewing antivirus and security related websites.
If you can’t see the remote images in the first row of the top table above, but the images in the second row are visable, that means that your PC is probably infected by Conficker or some other malicious software.
Automatic Malware removal tools