April Fools' Day has come and, in some parts of the world, almost gone without obvious signs that the Conficker worm has caused undue harm. However, users are being cautioned to remain vigilant.
Shinsuke Honjo, writing on the McAfee Avert Labs blog, says: McAfee Avert Labs has been closely monitoring Conficker-related threats and we haven't observed any significant activities on the domains that it is polling for thus far.
"Even so, please remain vigilant."
It has been widely reported that the Conficker worm is scheduled to cause unspecified damage to infected computer systems starting today, but the deadline of 1 April is not cast in stone.
Gartner vice-president and distinguished analyst John Pescatore says the Conficker worm represents a serious threat to enterprise and home PCs, but doesn't expect a widespread system meltdown today.
Yesterday, media outlets reported that security researchers have found a flaw in the widespread Conficker worm that may aid efforts to isolate and repair systems infected by it, with several leading providers of vulnerability assessment (VA) technology also report being able to isolate Conficker-infected PCs.
"Gartner believes that the intense media attention being paid to the supposed 1 April Conficker deadline is largely unwarranted," says Pescatore.
"Conficker, which is believed to have infected more than 3-million PCs worldwide, is a serious problem that enterprises and security technology providers must address. However, there is no reason to believe that some spectacularly damaging event will occur on 1 April.
"Paradoxically, the hype surrounding Conficker, and the enterprise response, is a major factor limiting its likely impact. Enterprises should be much more concerned about unrecognised threats."
Conficker (also known as Downadup) exploits known vulnerabilities in Microsoft Windows Server services. Downadup first appeared in October 2008, a month after the release of Microsoft Security Bulletin MS08-067, which contained patches for the vulnerable services.
Many PCs were not patched in time and were compromised.
Conficker takes steps to make it appear that an infected machine has been patched, making it more difficult to detect compromised PCs. It also uses encryption and many techniques to evade detection and communicate with malicious command-and-control servers.
"Despite Conficker's unusual sophistication, most detailed analyses of the worm's code have shown there is no 'apocalyptic' event slated for 1 April," says Pescatore. "Today, one of the more recent Conficker variants will dramatically increase the number of domain names that may potentially host malicious servers.
"This will increase the pressure on simple URL blocking techniques, but will not significantly increase the threat level, because compromised machines already have many communications capabilities.
"The most likely outcome on 1 April is denial-of-service conditions resulting from increases in network bandwidth. The major risk of Conficker is the ongoing threat that compromised PCs present to both enterprises and home users."
He suggests that enterprise security professionals monitor credible sources for information on Conficker, which is being updated almost continuously.
They should also contact providers of VA technology to ensure that their capabilities have been updated to detect PCs compromised by Conficker and make VA scans of all PCs a critical priority.
Administrators are advised to review URL blocking and inbound malware secure Web gateway capabilities and network access control capabilities to ensure that the most aggressive possible short-term stance is being taken against Conficker.
If employees are permitted to use their own PCs for business purposes, Pescatore says administrators should inform them of the urgency of checking and cleansing their PCs and instruct them about how to do so.
They should also place prominent warnings on enterprise Web sites directing consumers to antivirus sites with information on how to check their PCs.
McAfee says it has identified thousands of binaries that carry the Conficker payload. Depending on the specific variant, the worm may spread via LAN, WAN, web, or removable drives, and by exploiting weak passwords.
Conficker disables several important system services and security products, and downloads arbitrary files. Computers infected with the worm become part of an "army" of compromised computers and could be used to launch attacks on web sites, distribute spam, host phishing websites, or carry out other malicious activities.
Symptoms of Conficker infection include:
* Access to security-related sites is blocked;
* Users are locked out of the directory;
* Traffic is sent through port 445 on non-Directory Service (DS) servers;
* Access to admininistrator shared drives is denied; and
* Autorun.inf files are placed in the recycled directory, or trash bin.
McAfee offers the following advice to remove W32/Conficker.worm and prevent it from spreading:
* Install Microsoft Security Update MS08-067: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.
* Clean the infected systems, and reboot – Use anti-malware solutions such as McAfee VirusScan Plus or ToPS for Endpoint to clean the infection. Use behavioral detection techniques like the buffer overflow protection in Host IPS to prevent future infections. This is important because Conficker can propagate via portable media such as infected USB drives. As the media are accessed, the system processes autorun.inf and executes the attack.
* Identify other systems at risk of infection – You need to identify which systems are at risk. The list includes systems that either are not patched against Microsoft vulnerability MS08-067 or do not have proactive protection controls to mitigate the vulnerability.
* Limit the threat's ability to propagate – Using network IPS at strategic points in your network will quickly limit the ability of the threat to spread. This gives you time to either update your client anti-virus signatures or modify policies to block the threat using the behavioral controls.
Symantec stresses that, just because companies have been relatively unscathed today, the Conficker worms could update themselves any time.
It says a mitigation option is now available to effectively bypass the Conficker domain blocking feature that prevents a user on an infected machine from accessing a security site to get a fix tool.
The user can go to a DOS prompt and type "net stop dnscache" which disables the DNS cache, says Symantec. The user will get a message that the DNS client service is stopped and can proceed to access the security Web site or download the fix tool.