Unless you're living in a cave, by now you've heard that a worm known as Conficker (or Downadup, or Kido) has infested computer systems around the world, and that it will do something
April 1st, though nobody knows exactly what. How can you be sure your
computer doesn't become a casualty? Here are eight action items—things
you can do yourself to weather the potential storm.
Double-check Windows Update
The worm weasels into computer systems through a Windows vulnerability
that was patched last October, and once in place it interferes with the
Windows Update system, to protect itself. So, verify that your system
is up to date. XP users should launch Internet Explorer (no other
browser will do), visit www.windowsupdate.com,
and click the "Review your update history" link. Vista users should
launch Windows Update from the Start menu and click the "View update
history" link. In particular, you want to see KB958644
in the list—that's Conficker's entry point. If your latest update is
any older than March 2009, that's not good. Go back to the main Windows
Update page and install all critical and security updates.
Turn Off AutoRun
Sure, it's convenient that CDs and DVDs automatically launch their
programs when you put them in. You may even be happy to see the window
that asks what you want to do when you insert a USB key. But Conficker
and other worms subvert this handy feature to spread their infestation.
Use a Conficker-tainted USB key to share pictures or music with a
friend, and you're sharing the malware, too. The feature's convenience just isn't worth that risk. Here are instructions to turn off AutoRun.
Update Your Protection
It goes without saying that you
should always keep your security software and malware definitions up to
date. Don't just rely on automatic updates, as the worm has been known
to interfere with these. Dig into your security software and manually
launch an update, then watch to make sure it completes the process
successfully. Now launch a full system scan.
Get a Second Opinion
Your security software can probably handle the Conficker worm, but why take a risk? Visit the Conficker Working Group's Repair Tools page
to find the latest collection of threat-specific cleanup tools. At
present, this page links to tools from AhnLab, ESET, Kaspersky,
F-Secure Malware Removal Tool, McAfee, Microsoft, Sophos, Symantec, and
TrendMicro. Run one or more of these to verify that your system is
clean.
Check Your Servers
Conficker also attacks network shares using what's called a dictionary
attack. It tries to gain Administrator access using a bunch of common
passwords and often lucks out. If you're responsible for a network,
whether it's an office or home network, check all of the network shares
and make sure they're protected with a strong password. While you're at
it, check the root folder of each drive for the presence of an
AUTORUN.INF file or any unrecognized software—these are clues that
Conficker is already in residence.
Inoculate Your Servers
Products like Faronics Anti-Executable
prevent the launch of any program that's not pre-approved. On an
individual workstation where installing new software is common, this
kind of program can prove annoying, but server configuration is much
slower to change. It's a little late to apply this kind of
program-whitelist protection now, but going forward you'll want to
consider it for your servers. When no unapproved program is allowed to launch, it doesn't matter how cleverly malware morphs—it's powerless.
Back Up, Back Up, Back Up
Conficker isn't the only possible threat to your important data: Your
computer could fail; thugs could steal it; a car might drive through
your office wall and flatten it. If you have a backup system in place,
make sure that it's operational and that you have a recent full backup.
If not, get yourself a high-capacity USB drive and copy all your most
essential files onto it. (After making sure you've disabled AutoRun as described above, of course.)
Scared? Hide Under the Covers
Does the fact that Conficker's final aim is unknown give you the
willies? Are you shaking with worry that a hitherto-unknown "D" variant
will show up tomorrow and zap your computer? OK, it's not very likely,
but if you're concerned, take a day off from the Internet! Unplug the
network cables from your computers,
disable the wireless connections, and spend the day working on local
documents or revisiting your favorite pre-Internet games.