There's been a lot of fuss about the Conficker worm. However, there is a US$250,000 question: the origin of the virus.
This is the amount Microsoft is putting up as a reward for any information leading to an arrest related to the case. Folks at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, announced Monday that they found clues that the virus may have originated from China. Previously, there were rumors that it might have been from Russia or Europe.
The firm's conclusion is based on its analysis of the virus' coding. It found that Conficker's code is closely related to that of the notorious Nimda, a virus that wreaked havoc on the Net and e-mail in 2001. At that time, BKIS determined that Nima was made in China based on the firm's own data.
It's important to note that the origin of Nimda was never verified. Though Nimda contained text indicating that it may have originated from China, this is in no way hard evidence.
Even if this finding of BKIS is credible, this is hardly good news as it's still really far from helping the authority lay their hands on whomever responsible for creating the virus. What it does help, if any, is to narrow down on where to block the return of the virus.
Conficker is a very sophisticated worm that took advantage of a security hole mentioned in this Microsoft bulletin. The hole affected all 32-bit and 64-bit Windows operating systems even those with latest service packs. The hole allowed the virus to infect the computer without any user interaction via the Internet, local network or USB thumb drives. Once infected, it stops the computer's security services as well as Windows update service and disabled tools and software designed to remove it. Apart from that, the worm also allows the creator to remotely install other malicious codes on the infected computer.
Consequently, the worm is programmed to update itself from domains it randomly generates. By April 1, the mount of domains the worm generates and goes to to find update could grow to 50,000 a day. The owner of the virus only needs to use one of these domains to host the update. This makes it virtually impossible for authorities to track the source of the update.
Microsoft and Conficker Cabal, a Microsoft-led ad hoc partnership created to fight against Conficker worm, have been able to contain about 13 percent of these domain names, a number far from reassuring.
According Quang Tu Nguyen, CEO of BKIS, there's also a chance that the worm might never return if the owner of the worm, for one reason or another, decides not to continue updating it or fails to do so. However this is unlikely. Quang also suggests that the next outbreak of the virus might not necessarily be on April 1 as widely speculated but rather on any day. The firm does believe that the worm would likely seek to update itself on the April 1.
While this seems worrisome, the update of the virus will only take place on computers that have already been infected with one of Conficker's variants and are connected to the Internet. Currently, the number of infected systems are estimated to be around ten million worldwide.
Fortunately, it's relatively easy to determine whether your computer is infected. Vu Ngoc Son, manager of BKIS' research center, provided a simple way for you to find out if your computer is one:
First, make sure your computer is connected to the Internet by going to a Web site such as Google or ZDNet Asia's sister site CNET News.com. Then if your computer can also successfully go to Web sites of Microsoft and known security companies, such as Symantec, McAfee, TrendMicro, Sophos, Panda, and you can also run Windows Update successfully, then your computer is clear from Conficker.
On the other hand, if the computer fails to do any of those, it's likely that it has already been affected. In this case, try to follow this instruction to remove it. You can also backup your data and install Windows from scratch, then immediately run Windows Update to install the latest security patches.
Note that even when your computer is currently clean, it doesn't mean you won't get infected, this would depend on what the next update of the worm does. Rule of thumb is make sure you keep protection software on your computer updated and keep the system current with Microsoft Update. The are many free and effective antivirus software that you can find at Download.com.
As the current work against the Conficker is mostly damage control, if everybody makes sure that their computers are free of the virus and updated to Microsoft's latest patch, that would actually be the sure way to eliminate another outbreak.
This article was first published as a blog post on CNET News.
Play video
Conficker removal
Hi,
Good article. Sophos' Conficker removal tool can detect and remove all variants of the worm/virus.
As long as people run these tools it should stop any serious outbreak.
James
Posted by James on Monday, March 30 2009 10:31 PM