Windows Secrets logo

 

 

   
       
   
Windows Secrets NEWS UPDATE • Issue 191 • 2009-03-30 • Circulation: over 400,000

 		   
   
AD

Remove the Conficker worm: register now

    Remove the Conficker worm: register now

Conficker is one of the worst viruses in history and has infected over 15 million PCs. We are offering a special 60% time-limited discount to Windows Secrets readers. Conficker is set to unleash on April 1st. Protect yourself with ParetoLogic Anti-Virus PLUS!
 ParetoLogic Anti-Virus PLUS
   
   
Table of contents
 TOP STORY: Run a Conficker removal tool before April 1
YOUR SUBSCRIPTION: Change your preferences or unsubscribe

    
       
   
ADS
Free PC performance & security scan   Free PC performance & security scan
Take a few minutes to find out why your PC is so slow. Run the free PC Pitstop Optimize 2.0 scan and receive a free custom report detailing common issues that might be keeping your PC from running at full speed. Over 100 million scans run. Scan now!
 PC Pitstop

Fast POP3 downloader for Exchange Server   Fast POP3 downloader for Exchange Server
IGetMail downloads, sorts, and delivers remote POP3 e-mail to your Exchange Server every 20 seconds. Supports individual and catch-all POP3 accounts; flexible scheduler; SSL support; leaves e-mail at server, replays messages. Try the 30-day trial.
 IGetMail

Download a free PC-performance scan   Download a free PC-performance scan
RegCure repairs your Registry and automatically makes your PC's performance like new. Remove Windows errors instantly and clean up your Registry. RegCure is an award-winning product — download a free scan now!
 RegCure

See your ad here

    
   
TOP STORY

Run a Conficker removal tool before April 1

Brian Livingston By Brian Livingston

Computers infected with the infamous Conficker worm will start scanning the Internet for instructions this April Fools' Day, and the results won't be a funny joke.

I'm publishing a special news update today to correct some misinformation that's been circulating and to give you a 1-2-3 approach that should cure most Conficker infections before April 1.

In a technical analysis, the nonprofit security group SRI International states that millions of PCs have become infected with Conficker. It's "the most dominating infection outbreak since Sasser," a worm that raced across the Internet in 2004, SRI says.

Writer John Markoff opined in a New York Times blog post on March 19 that Conficker's bot army "could possibly become the world's most powerful parallel computer." Something tells me this network isn't going to be used to search for signs of intelligent life in the universe.

First of all: Whatever you've heard, don't panic. Most Windows Secrets readers don't have PCs infected with Conficker. The SRI analysis estimates that 54% of the affected machines are in China, Russia, India, Brazil, and Argentina, where many people use unauthorized Windows knockoffs. (Microsoft doesn't provide all its patches to unlicensed copies of Windows, leaving the vulnerable machines free to attack us — a self-defeating policy recently described by security expert Bruce Schneier.)

Second: You've probably already protected yourself by acting on contributing editor Woody Leonhard's Jan. 22 Top Story, which details how to patch your PC against Conficker. More recently, Susan Bradley's March 5 article explained how to prevent Windows' AutoRun function from exposing your machine to Conficker or any other malware.

Third: However many PCs are in Conficker's bot army, they won't all launch a massive attack on April 1. Instead, that's the date on which the bots will start looking for instructions. The infected machines are programmed to query several hundred domain names of possible control servers a day. It'll take weeks for most of the bots to connect (although they can cause a lot of spam or denial-of-service attacks after they do).

The biggest problem? The Conficker program (also known as Downadup and Kido) has morphed. The first two versions, Conficker.A and Conficker.B, began circulating in November 2008 and February 2009, respectively. Security researchers were able to neutralize the domain names that the worm's author would have used to send commands to the bot army. But new Conficker strains have appeared — version B++ since Feb. 20 and version C since March 4 — that bear new evils. (To add to the confusion, Microsoft refers to Conficker version B++ as C and version C as D.)

Among other things, Conficker.C adds a peer-to-peer control mechanism that will make it harder for security firms to cut the head off the network. The C variant also relies on 500,000 possible domain names as instruction servers, frustrating security groups' attempts to disable them all.

Domain-name blocking defeats many removal tips

In perhaps the worm's cruelest behavior, a computer infected with Conficker.C is prevented from accessing many security-oriented Web sites. When a user tries to get patches from, say, Microsoft or Symantec, a browser will time out, suggesting to the user that the site is down.

Conficker.C interferes with access to sites containing the following strings (as well as scores of other strings not shown here) in any portion of the URL:

antivir  ca.  cert.  conficker  f-secure  kaspersky  mcafee
microsoft  msdn.  msft.  norton  panda  safety.live  sans.
symantec  technet  trendmicro  windowsupdate

Computer Associates' security advisory 77976 lists all the strings that Conficker.C currently obstructs.

If your PC is infected, a technical trick might enable you to visit a site that Conficker is blocking. Instead of entering the site's domain name in your browser's address bar, enter the site's dotted-decimal IP address instead, which Conficker doesn't seem to interfere with. (My thanks to Woody Leonhard for his help with this tip.)

For example, Conficker might block your browser from showing the Computer Associates advisory I just mentioned. If so, you could replace the domain name shown in the first line below (www.ca.com) with the dotted-decimal IP address shown in the second line (130.119.248.144):
www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

130.119.248.144/us/securityadvisor/virusinfo/virus.aspx?id=77976

 Here's one way to learn the IP address of a Web site: using an uninfected PC, open a Firefox window and install the Show IP browser extension. With this extension enabled, the IP address of whatever site you're visiting shows up in the browser's status bar.

Of course, if you navigate to a site using its IP address and then click a link, the site will probably use a spelled-out domain name in the link. Conficker would block the resulting page, which you'd have to replace manually with its dotted-decimal equivalent.

Conficker's blocking of security sites is little-understood by most journalists. For this reason, many fix-it tips from usually reliable sources won't actually help the victims:
  • In a March 25 security article, CNET News senior writer Elinor Mills, who covers the Conficker worm, makes the following recommendations: "Computer users should apply the Microsoft patch ... " and "Microsoft has a Conficker removal tool ... "

    That sounds fine, but those recommendations won't work if the worm is controlling your PC. Conficker.C prevents access to Microsoft.com.

    In addition, the Malicious Software Removal Tool (MSRT) that Mills's article links to is not certain to remove the latest variants of Conficker. In a March 27 posting, Vincent Tui of the MS Malware Protection Center describes MSRT as having been updated on Jan. 13 to remove Conficker.A and B. There's no mention of MSRT being revised lately to remove Conficker.C.

  • A March 24 article by John D. Sutter in the technology section of CNN.com repeats a Microsoft recommendation: "Users who haven't gotten the latest Windows updates should go to http://safety.live.com if they fear they're infected."

    The Safety subdomain of Live.com is another URL that victims of Conficker.C can't visit.

  • A SANS Diary information page, updated on March 28 by researcher Andre L. to educate end users about Conficker, provides numerous links to security vendors.

    SANS is a great resource, but ordinary people who try the links on this page could become very frustrated. All of the links in the page's sections titled "Removal Instructions" and "Removal Tools" are blocked if a person's PC is infected with Conficker.C, with the exception of one domain recently created by security firm BitDefender (more on this later).
It's ironic: the only people who can access the Conficker removal tools these writers recommend are people whose PCs aren't infected with Conficker.C.

How to update your PC and remove Conficker

The following steps should prevent infection by Conficker and eliminate the worm, if your PC has it. One positive side effect is that you'll enjoy a computer with up-to-date patches:
  • Step 1. Attempt to run Microsoft Update. The Conficker worm can infect vulnerable computers merely by connecting to them remotely via the Internet. For this reason, you should first try to patch Windows before removing Conficker, lest your machine quickly become infected again. It's particularly important to install Microsoft patch 958644 (security bulletin MS08-067). This patch closes a hole in Windows' Remote Procedure Call, which Conficker exploits.

    If you can't find Microsoft Update (or the more limited Windows Update) on your PC's Start menu, visit the Microsoft Update page on the Web. Internet Explorer is required.

    Microsoft Update might complete successfully, or you might not be able to access Microsoft.com at all. In either case, do Step 2.

  • Step 2. Attempt to update your third-party security software. Having the latest antivirus signatures will help eradicate Conficker and other malware that may be lurking on your PC. Use your security software's menu to manually update to the latest defenses.

    Have no security software? Read the WS Security Baseline, which summarizes the products that are currently rated the highest by respected reviewers.

    • If your updated security software deems your PC to be cleaned up, but you couldn't previously access Microsoft.com, go back to Step 1 and run Microsoft Update.

    • If you couldn't access your security vendor's site at all, do Step 3.

    • If you finished both Steps 1 and 2 successfully, you should be able to skip Step 3 and do Step 4.

  • Step 3 (optional). Run a standalone Conficker removal tool, if need be. The Conficker Working Group — a coalition of Microsoft, Cisco, SRI, F-Secure, Kaspersky, and many other security vendors — maintains a list of certified detection and repair tools, any of which should remove Conficker. (My thanks to Susan Bradley for her help with this tip.)

    Unfortunately, most the links in the Working Group's list are inaccessible on a Conficker-infected PC. A victim can't even reach the Working Group's site, because it has in its URL the string conficker, which triggers the worm's blocking behavior.

    As I mentioned earlier, security firm BitDefender has set up a new domain from which users can download free Conficker disinfectant utilities. This site, BDTools.net, is not currently blocked by the worm, to the best of my knowledge. The site offers three options: (a) a free online scan; (b) a free, downloadable Single PC Removal Tool for individual users; and (c) a free Network Removal Tool, an .exe file that IT admins can use to disinfect an entire LAN.

    BDTools.net: Visit BitDefender's download site.

    If you can't access BDTools.net or any other security site from your PC, find a machine that isn't infected (such as a public-access workstation at a library). Don't use a search engine to look for removal tools, some of which are bogus. Instead, download a removal tool from the Working Group's certified list onto a USB drive, and then use that drive to run the software on the infected PC.

    • After removing Conficker, if you couldn't previously complete Steps 1 and 2 successfully, go back now and finish those steps to update Windows and your security software.

    • Once you've completed Steps 1 and 2, do Step 4.

  • Step 4. Run Secunia's Software Inspector to catch missing application patches. Third-party applications, especially media players, are more likely to suffer from security holes than Windows itself is. The security firm Secunia.com offers a free scan, informing you when your PC is running an insecure version of an application that has a security patch available.

    Like BDTools.net, the Secunia Software Inspector offers three options: (a) a free online scan; (b) a free download for individual users; and (c) a LAN utility for IT admins. Unlike BDTools' network tool, which is free, Secunia's LAN product costs €5,000 (U.S. $6,500) per year and up, depending on the size of your company.

    To run Software Inspector, see Secunia's vulnerability scanning page.

    In my opinion, everyone should use Software Inspector at least once a month, right after installing Microsoft's patches the week of Patch Tuesday.

  • Step 5 (optional). Advanced users — use OpenDNS to restrict infected PCs. OpenDNS, a San Francisco–based company, provides a free, real-time service that prevents PCs from accessing phishing and hacker sites, among others. Admins of small and large LANs can use OpenDNS as a Domain Name System server.

    The firm introduced on Feb. 9 a new, Conficker-specific feature. If an infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from contacting Conficker's control servers. Best of all, admins can read a report showing which PC tried to connect to a Conficker server.

    For details, read Dan Gookin's Register article and OpenDNS's announcement.

New instructions from the worm's author will probably make the bots disable a PC's access to BDTools, Secunia, and many other sites that were not on Conficker's original block list. Some security researchers have speculated that an update to Conficker will even prevent infected PCs from installing MS08-067.

It's best to strengthen your defenses before April 1 rather than waiting to see what bad things might happen.

No paid content; next regular newsletter April 2

News updates have no paid content. The same articles are sent to both free and paid subscribers.

The Windows Secrets Newsletter is published on the 1st through 4th Thursdays of each month, with breaks for Thanksgiving week and the last two weeks of August and December. The next full e-mail newsletter will be published on April 2.

 Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

Table of contents

    
   
ADS
Free download — update all your drivers   Free download — update all your drivers
DriverCure automatically and instantly updates all of your out-of-date drivers and software. This will result in a fully secured PC that has the latest driver and software patches. Download DriverCure now and update your entire PC in under 2 minutes!
 DriverCure

Who else wants a faster PC in only 9 min   Who else wants a faster PC in only 9 min
The exact system thousands have used to boost Internet speed, reduce startup time, cut shutdown time, and make random errors and crashes history ... you're just one click away from getting "The Internet's Best Kept Secret" free!
 PC Secret Formula

Are your computer's drivers up-to-date?   Are your computer's drivers up-to-date?
Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers.
 Drivers HeadQuarters

See your ad here

    
   
YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Program Director: Tony Johnston. Program Manager: Ryan Biesemeyer. Web Developer: Damian Wadley. Research Director: Katy Abby. Copyeditor: Roberta Scholz. Contributing Editors: Susan Bradley, Scott Dunn, Mark Joseph Edwards, Stuart J. Johnston, Woody Leonhard, Ryan Russell, Becky Waring.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
 Copyright © 2009 by WindowsSecrets.com LLC. All rights reserved.

Table of contents