Bad Behavior

You most likely saw one of the many headlines in March and April bringing news on Conficker - a worm that has received extensive media coverage, due in part to Microsoft's offer of a $250,000 bounty in return for information leading to the arrest of the malware's perpetrators. April 1, the highly anticipated date for the Conficker botnet's activation, passed by without the activation of the Armageddon-like payload that some reports touted - yet Conficker continues to be a threat the world is watching. This month, we're bringing you a look at what exactly Conficker is and how you can avoid it.

Understanding the Threat
Conficker, which is also known as Downup, Downadup and Kido, is a worm that originally surfaced in the end of 2008, when it began exploiting a vulnerability in Microsoft Windows. (That means, if you update your PC with the latest security patches and keep your anti-malware software up-to-date, you have taken the necessary precautions to stay safe from this threat). Infected machines become part of a botnet which, theoretically, can be used for anything from propagating spam to denial of service attacks to pushing rogue anti-malware applications.

It was speculated in some reports that on April 1, when the malware was scheduled to check for updates, it would activate, creating havoc and damaging millions of machines. While April 1 passed quietly, the threat posed by Conficker still exists; the botnet of millions of infected PCs is capable of carrying out criminal commands, in order to make a profit for its creators. In fact, mid April saw the first attempts at this, with machines in the botnet being used to send spam and run rogue security software.

The Bad Behavior
Whether or not Conficker's bad behavior matches up with the media hype surrounding it has been a subject of debate. What we do know is that its reach is pervasive, the malware itself is crafty, and researchers have not had a clear handle on the full scope of what the creators have planned. "From our perspective here at Lavasoft Malware Labs, Conficker has proven to be one of the more sophisticated pieces of malware," says Andrew Browne, Lavasoft malware analyst and Malware Labs team leader.

According to Lavasoft Malware Labs, Conficker attempts to avoid being reverse engineered by employing various obfuscation techniques. It displays classic malware behavior. Once a machine is infected, Conficker scans for the presence of a firewall. If a firewall exists, the malware asks the firewall to open a backdoor to download more malware. Conficker also attempts to disable various anti-virus applications it finds on the machine and block access to security websites. The botnet of infected PCs is made up of several million machines (estimates range from 3 to 12 million).

How does Conficker worm its way onto computer users PCs? Conficker propagates by exploiting:

• A known vulnerability in the Windows Server service, the MS08-067 vulnerability.

• Weak passwords - home and corporate networks are exposed to a 'brute force' password attack using commonly used passwords.

• USB devices - the worm copies itself as the autorun.inf file onto the device which is executed every time the compromised USB device is inserted into a PC.

Winning Strategies
There are 3 specific steps that you can take to mitigate your chances of infection:

1. Check for and install Windows updates. Once the latest updates have been installed, set your PC to automatically download and install these updates. The patch that fixed the MS08-067 vulnerability was published in October 2008 yet Conficker continues to thrive, meaning people are still not in the habit of installing security updates.

2. Ensure all passwords, especially for network drive shares, are not easily guessable.

3. Disable the Autoplay function. Instructions can be found on Microsoft's Help and Support pages.

Needless to say, you should also make sure to regularly update your anti-virus and anti-spyware software with the latest threat updates. (Ad-Aware detects Conficker as Win32.Worm.Downadup.)

Another point to keep in mind: repercussions of the media blitz surrounding Conficker has meant that computer users are especially sensitive to the threats posed by malware; rogue security software creators have been quick to capitalize on Conficker's extensive media coverage by offering products claiming to remove Conficker. While it's important to be aware of the latest online threats and stay proactive to keep them off of your system, blindly relying on security software will not necessarily keep you safe.

For more facts on Conficker, including a simple test you can use to check for infection, visit the Conficker Working Group website, a site set up by industry experts to help combat the threat.