Experts urge use of Conficker removal tools before April

Organisations need to act fast to avoid more damage from the Conficker worm.

On April 1, a vast army of infected computers is expected to contact Web servers owned by the authors of the world's currently most notorious computer worm, Conficker -- also known as Downadup and Kido.

What those machines will do once they make contact is still open to question, as is the size of the population of infected machines. What we do know is that the infection has spread rapidly since its first appearance in November, and some estimates put the number of infections at around 15 million. The worm has done no real damage yet, but it has laid the foundations of a vast botnet that could be used for any number of nefarious purposes -- from launching DDoS attacks to planting more malicious software on the infected systems.

Most experts agree that the Conficker worm is a very impressive piece of coding. Although it uses no new coding techniques, it is the combination of employed approaches that make it so difficult to handle.

It is also curious that so many computers should have fallen prey to a worm at all. The days of database and operating system viruses like Blaster and Slammer four or five years ago alerted the world to the need for regular patch management, and since then, many people thought worms had their day.

Furthermore, a patch was already available for the vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, MS08-67), which Conficker uses to spread to other computers in a network. Microsoft published the patch in October, a month before Conficker made its debut.

For more on Conficker

The rapid spread of the Conficker worm -- estimated to have infected 9 million systems already -- calls for a few basic enterprise defenses.

Since then, the authors have added new variants of the code in order to strengthen the original and avoid detection and disinfection. The updated code has the ability to block connections to Windows Update Services, and to certain antivirus update services, and it also tries to disarm code it thinks is there to remove it.

"It an amazing piece of malware," says Vlad Valceanu, head of antispam research at Bucharest-based BitDefender Corp. "This is a new layer of resistance to disinfection. This is what makes it so dangerous and widespread. When you are infected with Conficker, it blocks access to known AV sites, so you can't update your AV nor your operating systems. You can't download disinfection tools. It also tries to block disinfection tools by looking at the program's name and killing it before it starts."

Taking action: Removal tools and tactics for the Conficker worm
By February, Microsoft offered a $250,000 reward for the arrest and conviction of the worm's authors, and the antivirus community came together in what became known as the 'Conficker Cabal' to pool resources to block the worm from doing more harm.

Microsoft and most of the antivirus companies have since produced disinfection tools that appear able to bypass the techniques Conficker uses to protect itself.

 Today, there is no reason for anyone to stay infected. There are plenty of tools available, mostly free of charge... 
Gerhard Eschelbeck
chief technology officerWebroot Software, Inc.

Orla Cox, from the Symantec Response Centre in Dublin, advises that if you suspect you have an infected machine, to disconnect it, clean it up and make sure the Microsoft patch is applied before trying to reconnect. Although the Conficker code blocks connection to security sites, she says, most administrators have a method of rolling out the latest AV definitions to their machines.

But that doesn't mean the process of disinfection is going to be easy. Leon Ward, a senior technician with network security firm Sourcefire Inc., explains: "You need a systematic approach to try and eradicate it once it's in the system. It is really hard to get rid of every one of the infection mechanisms."

The code copies itself to public file shares on a network, so that any other users going to that share will be infected. In addition, an infected USB stick can exploit the Autorun function to launch the malware on to a machine. And once on the network, the code will try to infect other computers on the network, using a dictionary-based attack to guess logins and passwords.

"If you have a predictable password, then you will get infected through that mechanism. And it will try that for every device on the network," Ward said.

"Even if you apply the Microsoft security patch and you have never plugged in a USB stick, you can still be compromised by browsing to a trusted network share that has been compromised by another user."

Rafe Pilling, a consultant with DNS Ltd., an information security company based in Edinburgh, said the sheer logistics of removing all traces of the software from a large network can be daunting.

For a start, if an organisation has a lockout policy in place and only allows a certain number of failed logins before blocking access to user accounts, it means Conficker's attempts to guess passwords will result in many machines being shut down, even if they have not been infected. "Users come in in the morning, find they can't log in, so they all try to contact the help desk at once. If you have a user base of several thousands, that can be overwhelming," Pilling said.

Then you have to make sure the patch is deployed and all AV signatures are brought up to date. According to Pilling that should be enough: "This particular worm doesn't put up too much of a fight. Once you have the updates, then it can be cleared. And you can do it without having to reboot, although my preference is to isolate the machine, clean it, reboot, and maybe clean it again."

However, as he says, many companies have a mixed estate of machines, some of which may not have been patched for some time and will need to have Service Packs loaded before the patch can be applied. Some systems that have not been rebooted for a long time may fail, he warns, and so he advises having standby components or spare machines ready to plug in.

Aside from cleaning every machine on the network, Niall Fitzgibbon, a researcher with Sophos Labs, also advises that after patching the vulnerability, organisations ensure their password policies are strong enough to withstand a dictionary attack.

He has some words of warning for systems administrators who are trying to fix the problem. "When you're cleaning this up, you need to make sure you don't log into infected computers with an account that will let it spread even further," he said. "If you log on to an infected computer with a domain administrator account, which a lot of administrators may do if they log on remotely through a remote console, then Conficker will use their privileges to do copies to other computers in which they've got main admin accounts."

Steps to remove Conficker

-- Apply the MS 08-67 patch

-- Use one of many available (and usually free) disinfection tools

-- Ensure anti-virus signatures are up to date

-- Adopt a policy of strong passwords

Disable Autorun across the organisation

Equally, if system admins carry software tools around with them on a USB stick, they should make sure the hardware can be write-protected to prevent it from getting infected, and thereby spreading the infection. Otherwise, load the software on to a CD.

Looking ahead: The latest variant of the Conficker worm
Organisations now need to make sure they are clear of the malware ahead of the April 1 date. In the last couple of weeks, the malware authors have raised the stakes by launching a new variant of the code which seems to be designed to beat the best efforts of the Conficker Cabal.

Before the new variant, the code could generate up to 250 URLs a day, which could be used to download new information from the malware authors. By banding together with ICANN (the Internet's numbering authority), the Conficker Cabal was able to predict what the URLs would be and register and disable them. In other words, they could stay ahead of the threat and disable the download sites before they could be used by Conficker.

But the latest variant boosted the daily number to 50,000, making it virtually impossible for the Cabal to maintain control. The code modifications make it all the more important for organisations to clear out any infection before April 1, when the worm is programmed to connect to the increased number of domains.

However, most researchers are optimistic that the problem can be contained. And they take some comfort from knowing that basic security practices -- rigorous patch management, strong password policies, up-to-date antivirus and disabling Autorun -- would have stopped this infection in its tracks.

As Symantec's Orla Cox said: "The lessons that were learned back in the days of the Blaster worm have been forgotten a little bit. The success of Conficker shows that people are not taking patching as seriously, or that it takes a long time because of policies that are in place to test patches."

And Gerhard Eschelbeck, chief technology officer at Webroot Software, Inc., said urgent action is now required. "Today, there is no reason for anyone to stay infected. There are plenty of tools available, mostly free of charge. And everyone's responsibility is to clean up their machines before the April event," he said. "Doing nothing is the most disastrous approach."

If the Conficker episode reminds organisations not to ignore the basics of security, then it will have served some good purpose, he said.

Read more on Application security and coding requirements