Don’t Let Conficker Ruin Your April Fool’s Day

By now, hopefully EVERYONE has heard of “Conficker”. If not.. you have very little time to make sure you don’t become “The Fool” this April 1st.

Computers infected with the infamous Conficker worm will start scanning the Internet for instructions this April Fools’ Day, and the results might not leave you feeling like it was a funny joke.

CBS’s “60 Minutes” ran a piece on Conficker last night, and my phone has been ringing off the hook today from clients concerned about whether they should be concerned.

To that question I would answer, “Relax, but be vigilant.”

Some analysists estimate that 54% of the affected computers that already have the Conficker worm sitting there waiting to do whatever it is the creator has designed it to do, are machines in China, Russia, India, Brazil, and Argentina, where many people use unauthorized Windows knockoffs. (Microsoft doesn’t provide all its patches to unlicensed copies of Windows, leaving the vulnerable machines free to attack.)

If you have a legitimate copy of Windows, and you have installed the patch Microsoft released back in October 2008, you “should be” fine. Just to make sure, double check that you’ve got the patch installed on your machine. (MS08-067)

The update in question was probably installed in late October or November of last year; look for Security Update for Microsoft Windows (KB958644). If this patch isn’t installed, browse to Microsoft’s Download Center to retrieve and install it.

If your PC is blocked from visiting this site, use a noninfected PC to download the patch to a removable medium and install the update on the wormed PC from that device.

Next, run Microsoft’s Malicious Software Removal Tool (MSRT). The latest version of this Microsoft tool identifies and removes all of the Conficker variants I’ve heard about. The easiest way to get MSRT is through Windows Update, but if you can’t get through to that service on the infected PC, borrow a computer and download the tool from Microsoft’s site.

Another sure tipoff that your computer may already be infected is if you have trouble connecting to your Anti-Virus update site. One of the things Conflicker (and it’s variants) was programmed to do was to block you from accessing updates to your Anti-Virus program site.

If your PC is already infected and you can’t access your AV Update site, a technical trick might enable you to visit a site that Conficker is blocking. Instead of entering the site’s domain name in your browser’s address bar, enter the site’s dotted-decimal IP address instead, which Conficker doesn’t seem to interfere with.

One way to learn the IP address of a Web site: using an uninfected PC, open a Firefox window and install the Show IP browser extension. With this extension enabled, the IP address of whatever site you’re visiting shows up in the browser’s status bar.

Of course, if you navigate to a site using its IP address and then click a link, the site will probably use a spelled-out domain name in the link. Conficker would block the resulting page, which you’d have to replace manually with its dotted-decimal equivalent. A pain in the butt for sure, but a lot less painful than the alternatives if you are already infected.

Third-party applications, especially media players, are more likely to suffer from security holes than Windows itself is. The security firm offers a free scan, informing you when your PC is running an insecure version of an application that has a security patch available.

the Secunia Software Inspector offers three options: (a) a free online scan; (b) a free download for individual users; and (c) a LAN utility for IT adminstrators. (I use the free online scan).

I run Secunia Inspector every time they send me an email that something needs to be checked. They have an email sign up box after you do a scan the first time that will notify you automatically when updates need to be checked. I highly recommend everyone using this site.

It’s best to strengthen your defenses before April 1st rather than waiting to see what bad things might happen.

Good luck on Wednesday!

Until Next Time…