On mySimon: Bose Mobile In-Ear Headset
BNET Business Network:
BNET
TechRepublic
ZDNet

March 30th, 2009

The "no bull" guide to Conficker

Posted by Adrian Kingsley-Hughes @ 3:53 pm

Categories: Security

Tags: Infection, PC, Malware, Conficker, Security, Viruses And Worms, Adrian Kingsley-Hughes

[UPDATE: I've posted a piece looking at the latest Conficker.E update.]

I usually have a pretty good idea of how widespread a particular piece of malware is by the number of incidents of infection (or reports of infection) that I come across. But when it comes to the Conficker worm (aka Downadup or Kido), I get the feeling that while there’s a lot of hype surrounding this latest bit of malware, actual infections are much lower than some would want you to believe. However, over the past few days the number of enquires I’m getting in relation to Conficker has skyrocketed, so to try to answer people’s questions, and calm people’s fears, I’ve put together a quick “no bull” guide to Conficker.

Some antivirus companies love to hype malware because it’s a great way to sell security products. While Conficker isn’t new (it’s been around since November last year), the April 1st trigger date gives security firms the opportunity to ratchet up the hype a couple of more notches (and help drive concerned users straight into the hands of cybercriminals). However, it’s important to note that it’s unclear right now as to what will happen come the trigger date. However, what is clear is that you will need to be infected to be at risk of anything happening at all.

It seems that more than half of all Conficker infections are confined to PCs in China, Brazil, Russia, India, and Argentina, so folks in the US and Europe have dodged the bullet … mostly. Given the relatively low number of Conficker infections that I’ve come across, I’d say that the research is spot on.

If you’re running a fully patched system, then you’ve got little to be worried about. If you’re running an antivirus program, then you’ve got a second line of defense. If you’re worried, run a scan with a detection tool (links below). Better to be safe than sorry. Conficker can spread via network shares, leveaging weak passwords, so if you can’t trust the systems you’re connected to, and you know you’re using weak passwords, then your risk of being infected is elevated. Also, Conficker can spread via removable drives by taking advantage of Windows autoplay.

If you’re running a bootleg copy of Windows that’s not patched properly, or you’ve been neglecting to patch up (the security bulletin that’s important here is MS08-067) then there’s a small chance that you could be infected. If you’re worried, run a system scan using one of the following tools:

If you’re having trouble accessing any of the above links then that could be an indicator that you’re infected because Conficker (specifically Conficker.C) incorporates a domain blocker to prevent infected users from getting help (even accessing Windows Update and Microsoft Update). It’s now important that you use an uninfected PC to download a Conficker removal tool onto a USB drive and clean up the infected PC. Alternatively, you can visit a site run by security firm BitDefender that is, as of the time of writing, not blocked (this site could be added to Conficker’s block list at any time, so there are no guarantees that it will remain open to those who are infected).

After cleaning up the PC, apply the patch and then get on with the rest of your life.

Bottom line … Don’t panic!

Adrian Kingsley-HughesAdrian is a technology journalist and author who has devoted over a decade to helping users get the most from technology. He also runs a popular blog called The PC Doctor. See his full profile and disclosure of his industry affiliations

Want to get in touch? Got a tip? Feel free to drop me a note! I ALWAYS respect anonymity. I'm also on Twitter (@the_pc_doc)

Right to Reply: Should any industry representatives wish to comment on any posts on Hardware 2.0, I will be happy to publish their reply verbatim on this blog.

Subscribe to Hardware 2.0 via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 292 Talkback(s)
Personally...
The first major virus I had experience with came in a floppy from Quartermaster Headquarters in Ft. Lee Va. and totally hosed our field micro mainframe.

This was in 1987. I've heard of viruses ... (Read the rest)
Posted by: JCitizen Posted on: 07/14/09  (Edited: 07/14/09 @ 08:27) You are currently: a Guest | | Terms of Use
Welcome to Windows.....  Christian_<>< | 03/30/09
Welcome to people's own stupidity  MyBlueRex | 03/30/09
Only MS users  Chad_z | 03/31/09
What is this "insecure model" Windows is built on?  ye | 03/31/09
Are you doing more surveys today?  no_zd_user_name | 03/31/09
Give me a satisfactory answer and I'll be satisfied.  ye | 03/31/09
100% cure for Conficker  no_zd_user_name | 03/31/09
@Dietrich ... lemme guess ...  Adrian Kingsley-HughesZDNet Moderator | 03/31/09
@Dietrich T. Schmitz: A link to an article by SJV!  ye | 03/31/09
@Adrian: Good Guess wink  no_zd_user_name | 03/31/09
@dietrich: this is silly  NonZealot | 03/31/09
@Dear Dear NonZealot: I am having fun at ye's expense today  no_zd_user_name | 03/31/09
@Dietrich T. Schmitz: Only if you do not apply the patch.  ye | 03/31/09
I like the line that says  GuidingLight | 03/31/09
@NonZealot  no_zd_user_name | 03/31/09
@GL & Ye  Amelioration | 03/31/09
Re; Ye and Loverock are birds of a feather.  hkommedal | 03/31/09
Ok. I retract. Sorry ye.  no_zd_user_name | 04/01/09
ye will do his best...  hasta la Vista, bah-bie | 04/01/09
@hasta: and ye was right about Conficker  NonZealot | 04/01/09
No, of course not... LOL...  hasta la Vista, bah-bie | 04/02/09
Seriously.. What are these alleged deficiencies...?  Wolfie2K3 | 03/31/09
It's not the smart hackers, but..  arminw | 03/31/09
You have a point.  deowll | 03/31/09
Re; Linux on the other hand . . . Well, if you do as many  hkommedal | 03/31/09
What happens when OS X house becomes interesting  sdwilliams2009 | 04/01/09
How's this for specific?  anothercanuck | 03/31/09
Well at least it was specific.  ye | 04/01/09
If I'm wrong,  anothercanuck | 04/01/09
@anothercanuck: It doesn't go anywhere.  ye | 04/01/09
Windows insecure?  The Chief Nerd | 04/01/09
For that to be true,...  joe.smetona@... | 04/01/09
I don't buy that...  The Chief Nerd | 04/01/09
Same 'ol lame-o excuse  hasta la Vista, bah-bie | 04/02/09
No  AzuMao | 07/13/09
Dude, give it up  wolf_z | 03/31/09
Auto-Update - yeah right.. NOT  jacarter3 | 03/31/09
I must be that good!!  NonZealot | 03/31/09
Same here.  ye | 03/31/09
Must be  jacarter3 | 03/31/09
@jacarter: I've tried 3 times to switch people to Linux  NonZealot | 03/31/09
The registry is a db of configuration information.  ye | 03/31/09
No Ye - no one can ever answer "your" question  jacarter3 | 03/31/09
@jacarter3: Of course they can't. Because there is no answer.  ye | 03/31/09
my wife's dell did  brokndodge@... | 03/31/09
@brokndodge: Then you had a retail copy installed.  ye | 03/31/09
So answer my questions then Ye.  Amelioration | 03/31/09
@Amelioration: I use Windows, Linux, OS X, and Solaris.  ye | 03/31/09
there is a huge difference  jdieter@... | 03/31/09
About jdieter's comments  NonZealot | 03/31/09
@jdieter: It's clear you have no idea how Windows works.  ye | 03/31/09
@jcarter - sorry, but no!  de-void | 03/31/09
read his post again  tmsbrdrs | 03/31/09
Sorry but yes.  jacarter3 | 03/31/09
You're right, jacarter  hasta la Vista, bah-bie | 04/02/09
@jacarter  vermonter | 04/01/09
Fool  jacarter3 | 04/01/09
Main reason for not Updating Windows  tmsbrdrs | 03/31/09
Then you're MAD!  de-void | 03/31/09
You really should read posts properly  tmsbrdrs | 03/31/09
I think his point was to initiate the updates himself, instead  hkommedal | 03/31/09
It is exactly this stupid kind of advice that leads to Conficker infections  ye | 03/31/09
unfortunately  tmsbrdrs | 03/31/09
@tmsbrdrs: It's not a Windows failure because it has nothing...  ye | 03/31/09
I think you will find that they DO update, only they prefer  hkommedal | 03/31/09
@hkommedal: I'm referring to those who disable automatic...  ye | 04/01/09
@ye  tmsbrdrs | 04/01/09
Not if you have it set to occur at three a.m.  deowll | 03/31/09
computers turned off  tmsbrdrs | 04/01/09
Now that's funny  AzuMao | 07/13/09
And Linux users just blame the developers?  GuidingLight | 03/31/09
No, Linux users blame Windows admins  NonZealot | 03/31/09
how can you blame windows users for a fault in OS X?  Jayton | 03/31/09
as a *nix user, i resemble that remark!  brokndodge@... | 03/31/09
or  tmsbrdrs | 03/31/09
@brokndodge  tmsbrdrs | 03/31/09
brokndodge@  hasta la Vista, bah-bie | 04/02/09
re:And Linux users just blame the developers?  n0neXn0ne | 03/31/09
Re; And Linux users just blame the developers? Yes,  hkommedal | 03/31/09
You're not paying attention  mahlon | 03/31/09
MS has built a reputation of patches that crash systems  brokndodge@... | 03/31/09
Thank You.  joe.smetona@... | 03/31/09
Can you backup this assertion?  ye | 03/31/09
Re;malware causes an order of magnitude more problems than patching.  hkommedal | 03/31/09
I prefer the monthly "chunks".  ye | 04/01/09
Patching  pj_mouse | 04/01/09
@pj_mouse: The bulk of my UNIX systems are servers.  ye | 04/01/09
Patch Crashes ?  dev-null | 04/01/09
Not MS' fault.  Fat2000 | 03/31/09
Welcome To Windows  NStalnecker | 03/30/09
Really?  Sleeper Service | 03/31/09
The joy of a fully patched, compromised, Windows computer  whisperycat | 03/31/09
Patches aren't a panacea.  ye | 03/31/09
"Why people continue to ..."  Amelioration | 03/31/09
Because it runs the software they want.  ye | 03/31/09
Thanks to past M$ anti-competitive practices...  hasta la Vista, bah-bie | 04/02/09
People ignore safe computing advice ...  grail@... | 03/31/09
The recommendation, and default selection, from Microsoft...  ye | 03/31/09
You didn't even listen to what grail@ said, ye  hasta la Vista, bah-bie | 04/02/09
RE: The joy of a fully patched, compromised, Windows computer  Kerry from BC | 03/31/09
That's not true  Chad_z | 03/31/09
So you admit that Linux is just like Windows then.  NonZealot | 03/31/09
RE: That's not true  Kerry from BC | 03/31/09
Re; Clicking on a link won't do it.  hkommedal | 03/31/09
That's absolutely true, hkommedal  hasta la Vista, bah-bie | 04/02/09
At least someone has seen the light. (nt)  hkommedal | 03/31/09
You must be joking.  deowll | 03/31/09
Please ......  dev-null | 04/01/09
My Vista/7 Box  NStalnecker | 03/31/09
Bingo!  Sleeper Service | 03/31/09
How to keep your computer safe!  deowll | 03/31/09
I broke out the 2007 Vista Nomad for the 'kido' super killer.  rtirman37@... | 03/31/09
Welcome to Windows?  wds21921@... | 04/02/09
nuff said  compudog | 04/09/09
Reminds me of Michelangelo  brble | 03/30/09
Based on Actual Events  lehnerus2000 | 03/31/09
Michaelangelo reaked a l0ot of havoc tho...  brokndodge@... | 03/31/09
That wasn't what I remember happening  brble | 03/31/09
Blame it on patches, what a con-artist bait/swap...  Christian_<>< | 03/30/09
Do you work *hard* at being this clueless?  wolf_z | 03/31/09
Ouch! Fully patched Windows boxes rooted  whisperycat | 03/31/09
For Conficker patching would have prevented the problem.  ye | 03/31/09
I read the article  wolf_z | 03/31/09
I was just about to ask the same question.  ye | 03/31/09
More FUD and denial from the MS party faithfull  whisperycat | 03/31/09
What I am saying is the article doesn't state they were patched.  ye | 03/31/09
It's malware requiring user intervention...  Sleeper Service | 03/31/09
I don't think anyone posted this, but...  joe.smetona@... | 03/31/09
Please ..... #2  dev-null | 04/01/09
My FreeBSD and Linux distro's NEVER HAVE SECURITY PATCHES  tech_walker | 04/01/09
Linux's "secure" days are numbered  nancyjones36507@... | 04/02/09
Got proof?  hasta la Vista, bah-bie | 04/02/09
Proof? We don't need no stinking proof!  JCitizen | 04/03/09
Yeah you are  hasta la Vista, bah-bie | 04/03/09
LOL this...  JCitizen | 04/05/09
Link 1  hasta la Vista, bah-bie | 04/05/09
Link 2  hasta la Vista, bah-bie | 04/05/09
Link 3  hasta la Vista, bah-bie | 04/05/09
And finally (LOL... :D) Link 4  hasta la Vista, bah-bie | 04/05/09
Geeze hasta, I wasn't asking you to become..  JCitizen | 04/06/09
No monkey business, here  hasta la Vista, bah-bie | 04/06/09
Your time is appreciated...  JCitizen | 04/19/09
The Bane!  kmashraf | 03/30/09
Great Links, Linux isn't mentioned in the Wiki article at all ..NT..  joe.smetona@... | 03/31/09
Thanks, Adrian...  Sleeper Service | 03/31/09
Unless it doesn't  whisperycat | 03/31/09
Two words  wolf_z | 03/31/09
Well, there is this at least...  Zogg | 03/31/09
That's pretty weak.  ye | 03/31/09
That is a report from people who actually investigated Ghostnet  Zogg | 03/31/09
And? Nothing presented shows:  ye | 03/31/09
Ah, you haven't read it!  Zogg | 03/31/09
@Zogg: The quote said "as capable".  ye | 03/31/09
My claims, Ye? Which claims would those be?  Zogg | 03/31/09
@Zogg: Yes, your claims.  ye | 03/31/09
Actually there's another scenario...  Zogg | 03/31/09
@Zogg: If that was the specific part of his response...  ye | 03/31/09
Same old ye.  Zogg | 03/31/09
@Zogg: When I'm wrong you'll see me admit to it.  ye | 03/31/09
Priceless quote from the abstract  NonZealot | 03/31/09
NZ, I'm just providing genuine information.  Zogg | 03/31/09
While the information is genuine your application of it is not.  ye | 03/31/09
I'm quoting from a document, Ye. And STILL you complain!  Zogg | 03/31/09
@Zogg: Merely quoting from a document doesn't...  ye | 03/31/09
@Ye  Amelioration | 03/31/09
You dismiss the most authoritative document we could have as "irrelevant"?  Zogg | 03/31/09
@Zogg: You responded to claims of patching. Therefore...  ye | 03/31/09
@Amelioration: That depends.  ye | 03/31/09
No, I responded to wolf_z.  Zogg | 03/31/09
@Zogg : What evidence are you referring to and...  ye | 03/31/09
Priceless response to the fool  hasta la Vista, bah-bie | 04/02/09
He's a bleedin plunker  dev-null | 04/01/09
I see...  Sleeper Service | 03/31/09
Great article & useful place to point people to!  DevJonny | 03/31/09
Good Article  wolf_z | 03/31/09
What about a 'No Bull' guide to Ghostnet?  whisperycat | 03/31/09
I didn't see Windows mentioned  MalachiV | 03/31/09
Read the full story  whisperycat | 03/31/09
So, once again...  Sleeper Service | 03/31/09
Can't wait for the un-released details myself  whisperycat | 04/01/09
The reason I've not covered this is ...  Adrian Kingsley-HughesZDNet Moderator | 04/01/09
Forgot to add ...  Adrian Kingsley-HughesZDNet Moderator | 04/01/09
Thanks for the response, Adrian  whisperycat | 04/01/09
Absolutely, cat...  Sleeper Service | 04/01/09
So, once again...  hasta la Vista, bah-bie | 04/02/09
Ah, I see the connection now...  MalachiV | 04/01/09
What has this....  Erroneous | 03/31/09
*** Scanning Conficker with Nmap ***  no_zd_user_name | 03/31/09
Superb  dev-null | 04/01/09
Got links?  wolf_z | 03/31/09
RE: The  Joe Dufflebag | 03/31/09
LAMP servers are the most frequently hacked servers in the world  NonZealot | 03/31/09
Perl, Python are safe...PHP is the culprit NonZealot  no_zd_user_name | 03/31/09
Does that change the fact that LAMP servers are the most hacked?  NonZealot | 03/31/09
Does that change the fact that WAMP servers are the most hacked?  n0neXn0ne | 03/31/09
It's a configuration issue.  no_zd_user_name | 03/31/09
Does that excuse work with XP?  NonZealot | 03/31/09
Does that excuse work with XP? No ...  n0neXn0ne | 03/31/09
Configuration issues and software defects are two different things.  no_zd_user_name | 03/31/09
@Dietrich  NonZealot | 03/31/09
Of course not. That would mean be consistent.  ye | 03/31/09
@Dear Dear NonZealot  no_zd_user_name | 03/31/09
@Dietrich T. Schmitz: Moving the goal posts eh?  ye | 03/31/09
Dear Dietrich: Not when you are running a web server  NonZealot | 03/31/09
@NonZealot  no_zd_user_name | 03/31/09
WAMP servers are the most frequently hacked servers in the world  n0neXn0ne | 03/31/09
OpenDNS: Prevent Conficker Worm from Phoning home  no_zd_user_name | 03/31/09
Slow news days....  Narg | 03/31/09
Plenty of removal tools, so what is the issue?  GuidingLight | 03/31/09
The issues are:  hkommedal | 04/01/09
The sky is [not] falling [again]  Lunatic59 | 03/31/09
RE: What are the symptoms of an infection?  medbiller@... | 03/31/09
Some of the VISIBLE symptoms are:  hkommedal | 04/01/09
Hehe  D2 Ultima | 03/31/09
In addition to ClamAV to scan email attachments  no_zd_user_name | 03/31/09
Somebody should care enough to write a virus for linux...  Arapey | 03/31/09
I would say Linux is safer because nobody can be bothered with it.  ye | 03/31/09
Ye, more FUD  whisperycat | 03/31/09
The number of systems used by Google is miniscule compared to...  ye | 03/31/09
re: "The number of systems used by Google is miniscule compared to...  n0neXn0ne | 03/31/09
I agree  NStalnecker | 03/31/09
I would say  anothercanuck | 03/31/09
They already have!  Loverock Davidson | 03/31/09
Telnet? What year are you stuck in dude?  Amelioration | 03/31/09
Don't waste your energy. He doesn't know Linux. Just a Troll  no_zd_user_name | 03/31/09
Fail, fresh installed Ubuntu 9.04 today, Port 23 (Telnet) is closed  DevJonny | 03/31/09
Why is telnet still shipped with Linux?  anothercanuck | 03/31/09
Huh ?  dev-null | 04/01/09
Do you think reasoning is going to help? wink  no_zd_user_name | 04/01/09
For all the Windows naysayers  NStalnecker | 03/31/09
In Australia we are ahead of the rest of the world  Aussie_Troll | 03/31/09
In Australia we are ahead of the rest of the world ...  n0neXn0ne | 03/31/09
15,000,000 satisfied user's can't be wrong. ..nt..  joe.smetona@... | 03/31/09
Try telling that to CERN, Google or IBM. (nt)  hkommedal | 04/01/09
Has anyone...  GTWilson | 03/31/09
RE: Thanks, nicely done  10W1V1 | 03/31/09
Has anyone....  LadyRain | 03/31/09
It's April 1st! Has the world come to an end because of Conficker?  ye | 03/31/09
RE: MS Office  deowll | 03/31/09
RE: The  powershaker | 03/31/09
Yeah, just wait until April 1. That will teach those Windows users.  ye | 03/31/09
Say...  NStalnecker | 03/31/09
Buy a Mac  dev-null | 04/01/09
RE: The  apostate | 03/31/09
Wow, I must be that good!!  NonZealot | 03/31/09
I don't?  apostate | 03/31/09
No, you clearly do not.  ye | 03/31/09
What is your point?  keagle79@... | 03/31/09
Er?  apostate | 03/31/09
No, that doesn't answer the question. Why?  ye | 03/31/09
All I can say is...wow.  apostate | 03/31/09
It's plainly obvious you know nothing of what you speak.  ye | 03/31/09
You're sort of an idiot, huh?  apostate | 03/31/09
No, it does not.  ye | 03/31/09
And while you're crafting your oh-so-witty repartee  apostate | 03/31/09
"These guys"? It's one person.  ye | 03/31/09
Dang, math is even hard for you.  apostate | 03/31/09
You consider your gibberish conversation?  ye | 03/31/09
I don't consider your gibberish math...  apostate | 03/31/09
Yes it does.  apostate | 03/31/09
RE: The  apostate | 03/31/09
RE: The Conflicker Worm  ananth@... | 03/31/09
I don't see Avira worried so I am not  Randalllind | 03/31/09
Virus Origins  YeaiBetYouDo | 04/01/09
It all started as a prank on an Apple II  Randalllind | 04/01/09
There were viruses...  fairportfan | 04/14/09
Personally...  JCitizen | 07/14/09
RE: The  morwen | 04/01/09
RE: Symantec, McAfee, et al.  professordnm | 04/01/09
Conspiracy  dev-null | 04/01/09
Re Conspiracy  YeaiBetYouDo | 04/01/09
Good Article  sboverie@... | 04/01/09
And it doesn't work either.  anothercanuck | 04/01/09
I assume this was addressed to me.  ye | 04/01/09
Missing The Point  YeaiBetYouDo | 04/01/09
Agreed.  ye | 04/01/09
So if GM has more cars stolen  TSMoore | 04/01/09
Even better analogy  NonZealot | 04/01/09
RE: Mac user because you lack basic decision making skills.  Michael Fournier | 04/01/09
Moron Linux heads  tech_walker | 04/01/09
Hello!!!! McFly!!!!  Jibbits Jr | 04/01/09
Conficker Worm  tecsmedia | 04/01/09
The definitive Microsoft V Linux/Unix (virus) analogy  whisperycat | 04/02/09
Cute but still biased  TSMoore | 04/02/09
Those blinkers don't suit you  whisperycat | 04/03/09
ISP Responsibility  ceh4702 | 04/02/09
RE: Linux Usage V Virus Attack.  ceh4702 | 04/02/09
Linux usage V virus attack  whisperycat | 04/02/09
Repairing web access  manfred@... | 04/03/09
deleted....  JCitizen | 04/19/09
RE: The "no bull" guide to Conficker  bb_apptix | 04/21/09
Vista almost not vunerable for MS08-067  IE8 | 04/24/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here