Friday, March 13, 2009

April 1st may be a nasty day if your system harbors hidden malware

. . . of course this has been true for the last few years. April 1 seems to be a favorite time for malware criminals.

This year it's "Conficker" aka "Downadup." Since my last post about this rapidly spreading piece of nastiness, the virus has seen (at least) two updates from it's authors. The most recent edition is more aggressive about spreading itself and more resilient against detection and cleanup than any virus I've personally seen in years.

It installs at least two rootkit variants and uses known Windows exploits to spread on local networks -- bypassing any user interaction (such as surfing a compromised website or opening infected email) altogether. It's still using USB devices to spread through AutoRun - which makes me wonder why Microsoft hasn't offered to disable that for everyone through Automatic Updates.

It's short-term purpose in life -- so far -- seems to be getting as many machines infected as possible. Long-term it's a botnet awaiting commands from the criminal owners. Those commands could be anything from an update to currently infected machines to make them harder to detect and clean, to a DoS attack on the Internet infrastructure or specific targets, or sending spam from millions of infected workstations, or activating/installing key-loggers to steal your ID/Bank accounts.

I'm betting a combination of the above -- with the twist that the whole botnet will be up for hire and thus will change it's mission frequently and randomly as underworld buyers subscribe to services.

I am very much concerned that after April 1st we will all know a lot more than we wanted to about Conficker.

So what can you do about this?

a) Don't rely on Windows Automatic Updates (it's been known to get into a stuck state on certain machines.) Visit Microsoft's Update site and verify that you are completely caught up on all critical updates. If you see any available critical fixes then you should install them, reboot, and check again. (Some updates stack on older updates and won't appear until you catch up a bit.) Repeat the check, install the next layer, repeat until you show zero critical hot fixes on the list. Get to the manual update check from IE, the Tools menu, and select Windows Update. Or you can take a huge risk and click this link while using Internet Explorer (and hope that this blog post can be trusted): http://windowsupdate.microsoft.com/

b) Make sure you're running a current anti-virus/spyware product, and that your subscription is active. I'm not trying to play favorites, but you get what you pay for in most cases. Free AV products have not generally been as effective as pay-for versions (even within the same company/product group where a free version is offered - no names here.)

c) Lock down your wireless network if you use such at work or home with WPA2 - someone that's infected could wardrive your LAN and infect your machines if you leave your wireless open to the world. (Not to mention all the other crap they can do to you if you leave your network unsecured.)

d) Change your firewalls password from the factory default. (See your owners manual . . . )

e) Turn off AutoPlay (yes I know, I rag on this a lot - Microsoft should pay attention already.)

f) Use IE in High Security Mode and (if you have IE 8) Enable Protected Mode. (Vista IE 7 users get this by default) or better yet use FireFox 3.x in combination with NoScript.

g) If you can't do the above . . . then on March 31 turn your computer off, go outside, and enjoy some sunshine. Go find some nightlife too - away from your computer. You can come back on April 2nd. Maybe. Seriously folks -- these things spread so easily because we get lax about our personal safety online.

Would you drive on sagging bald tires with an engine light showing low oil with no seat-belt at very high speed on the interstate highway system?

Wait . . . don't answer that.