There has been a big break in the Conficker worm that threatens to activate and cause a lot of havoc on April 1st. Anyone with a network scanner, which trolls infrastructure for oddities, has two days to find the Conficker worm and mitigate it.

This fingerprinting advance for Conficker is a big deal because the worm’s first move is to turn off antivirus defenses. But since enterprises have network scanners as an additional layer of defense the Conficker damage should be limited. Unfortunately, consumers that rely solely on antivirus software, which is turned off when the worm activates, may still have serious problems.

What does the Conficker worm do?
We don’t know the purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable router and computer it can take ownership of the router (Linksys and Netgear have been tageted so far), then turns off automatic backup services, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm spread?
The Conficker worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Is your computer at risk?
Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

The Fix
As of right now there is no fix since the virus hasn't been released. The best thing a user can do if prepare their computer for the impending attack by doing the following:

1. Change default logins and passwords on routers.
2. Run a good security suite; something with a firewall, anti-virus, and anti-spyware.
3. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
4. Don’t use "free" security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their "full" service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
5. Turn off the "autorun" feature that will automatically run programs found on memory sticks and other USB devices.
6. Be smart with your passwords. This includes:


1. Change your passwords periodically
2. Use complex passwords – no simple names or words, use special characters and numbers
3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.


7. Contact Drake H&S if you need help with any of these preventive steps.