By Dennis O’Reilly Conficker is a nasty worm whose design demonstrates a level of sophistication beyond that of your everyday, run-of-the-mill malware.
Fortunately for those of us who keep our Windows systems up-to-date, the odds of being infected with Conficker are minuscule.
WS editorial director Brian Livingston prepared a newsupdate on Conficker that was published March 30. He cited figures from security firm SRI International showing that 54% of machines infected with the worm are in China, Russia, India, Brazil, and Argentina. Many people in those countries have been sold unlicensed copies of Windows and, for whatever reason (as discussed below), don’t receive Windows updates, leaving their machines vulnerable.
Insider tips, how-tos, best security practices, and more
Subscribe to Windows Secrets — free!
The Windows Secrets Newsletter brings you essential tricks for running Windows XP, Vista, 7, Internet Explorer, Firefox, Windows Update, and more — weekly, free.
Bonus: get this free download when you subscribe
Interested in Windows 8 but don't know where to start? You have a friendly guide in My Windows 8 Consumer Preview: A Sneak Peek at the Windows 8 Public Beta, by Katherine Murray. This month, all subscribers can download Chapter 1 and Chapter 5. In this excerpt you will learn about the new look of Windows 8, how to make things happen in it, how to use the apps that come with it, and how to get more apps.
We guarantee your privacy: We will never sell, rent, or give away your address to any outside party, ever. We will never send you any unrequested e-mail. Unsubscribe requests are honored within one business day. Privacy Policy
To be on the safe side, you can test for and remove the worm by using the directions in Brian’s article. If you didn’t scan for the worm before April 1, don’t worry too much. That’s merely the date on which infected systems were scheduled to start checking various Web servers for further instructions. Security analysts don’t expect the worm to do any significant damage immediately.
By the way, our news update received the third-highest rating of any WS story in the past 12 months — 4.42 out of a possible 5 points, according to more than 1,000 readers who voted in our poll. Bravo, Brian!
After Brian’s Conficker piece appeared, Microsoft spokeswoman Jill Lovato wrote to say one of his points was inaccurate:
- “I just saw your post, ‘Run a Conficker removal tool before April 1,’ and wanted to clarify a few things I think you may have been confused about.
“In the first section, you say:
Microsoft doesn’t provide all its patches to unlicensed copies of Windows, leaving the vulnerable machines free to attack us — a self-defeating policy recently described by security expert Bruce Schneier.
“This is actually not accurate — Microsoft issues security fixes via Windows Update to all Windows systems, regardless of whether or not that system is genuine.
“Also, the information you reference from Schneier is from 2005 and is no longer accurate. Here is a TechNet article that addresses Conficker and gives details on how PC users can protect themselves.”
- “It’s ridiculous to say that Microsoft provides all security updates to Windows users, whether or not they pass Windows Genuine Advantage (WGA) validation. No, Microsoft doesn’t.
“First of all, a system that fails WGA is restricted in using Microsoft’s update and download sites, as described in the Genuine Microsoft Software FAQ:
Q: How does WGA validation work?
A: … Upon their first visit to the Microsoft Download Center, Windows Update, or Microsoft Update, users will receive a message requiring them to validate their Windows.
“WGA has a reputation for rating some PCs as unlicensed when in fact they’re completely legitimate. For this reason, many people exit Windows Update at this point and turn off Automatic Updates (if it was enabled) rather than risk disabling their expensive computers.
“WGA’s bad rep comes from Microsoft’s own policies. The original version of Windows Vista includes a ‘kill switch’ (officially called ‘reduced functionality mode’), which is triggered in certain conditions.
“Under some conditions — such as if WGA validation fails — the Start menu and desktop icons are hidden, and nothing works except the default browser (so users can buy another license). After 60 minutes, the machine is completely logged off, as explained in a Computerworld article and its continuation. This punitive policy was not changed until Vista Service Pack 1 appeared.
“According to an Ars Technica analysis in January 2007, a minimum of five million users worldwide, and probably millions more, have received false ‘nongenuine’ ratings from WGA. As a result, Microsoft has lost many consumers’ faith in the auto-update process, because people hear tales that using Windows Update can cripple a PC.
“If a user doesn’t pass WGA validation or doesn’t wish to risk testing for it, Microsoft does not permit all security updates to be installed. Only those updates that Microsoft rates as “Critical” are presented. This is explained by Microsoft in its Description of Windows Genuine Advantage (emphasis added):
If you have a genuine copy of Windows but decide not to complete the validation process, you can still obtain CRITICAL software updates by using the Automatic Updates feature.
“The trick is that many security updates are rated by Microsoft as only ‘Important’ or ‘Moderate.’ But these updates can be just as essential to users as ones rated ‘Critical,’ because the ratings are often questionable.
“For example, the WGA download itself, titled KB905474, was described as a ‘critical security update’ from the first day it appeared in 2006, despite the fact that WGA is a marketing effort, not a security update at all.
“In addition, users who fail or never attempt WGA validation are restricted by Microsoft from receiving security software other than patches. For example, validation is required to use the download page for Windows Defender, a free security program. Microsoft says this app protects PCs against ‘security threats caused by spyware and other potentially unwanted software.’ The download page clearly states:
This download is available to customers running genuine Microsoft Windows … Windows Vista users must pass Microsoft Genuine validation requirements …
“Regarding Bruce Schneier, I searched his site and didn’t find any sign that he’s changed his view of Windows Genuine Advantage since his last post on the subject.
“Finally, linking to Microsoft’s TechNet article, which recommends running the Malicious Software Removal Tool (MSRT) to eliminate Conficker, is pointless. As I reported, Microsoft’s own Malware Protection Center stated on March 27 only that MSRT removes Conficker versions A and B. There’s nothing about MSRT removing the latest Conficker builds (variously described as C or D).
“After I wrote that, a Microsoft source, whom I can’t identify, has said variants later than B could be detected if MSRT’s mrt.exe file is first renamed. Otherwise, Conficker kills the process. Most end users would never think of this, so MSRT for now should not be considered an up-to-date solution.
“I didn’t say Microsoft doesn’t permit non-WGA users to get any security patches. I wrote, ‘Microsoft doesn’t provide all its patches to unlicensed copies of Windows.’ It’s certainly true that the company doesn’t provide all its security patches, much less all its various patches, to people who don’t run WGA validation. I stand by this statement.
“I urge Microsoft to immediately start delivering all updates — of every kind — to users who are running any copy of Windows, whether or not it validates. Pirate profiteers should be thrown in jail, and Microsoft has a right to prosecute them. But our legitimate computers are the ones that unpatched users’ computers attack. Microsoft has no excuse for not updating every system.”
We received tremendous response to Ryan Russell’s request in the March 26 Top Story to send us your recommendations for products to test for our next update to the Security Baseline. We’re still compiling the results (and Ryan’s still digging out of his inbox), but reader Mark Broge’s experience illustrates the dangers of relying on any single security product:
- “Ryan, as a victim of a nasty Win32:Vitro infection, I read your latest article with great interest. This virus has wreaked havoc on my home PC, and there seems to be very little information [about it].
“This nasty piece of code not only evaded AVG’s free edition, but wrecked it completely. I had installed Windows XP SP2 on a freshly formatted system partition, installed AVG immediately after SP2, and within a few days the virus had come back in full force. Now, following a second system partition format and Windows install, Avast Antivirus Free has been able to prevent reinfection.
“I rarely see Avast mentioned, but I’ve had great experience with it. In researching Win32:Vitro, it appears that the major players — Symantec and McAfee — are either behind in detection or don’t detect this at all. As I noted, AVG also didn’t.
“I would be very interested in hearing other readers’ or your own perspective on Avast’s software. I’ve found it to be extremely light on system resources and also extremely effective.”
| Mark Broge will receive a gift certificate for a book, CD, or DVD of his choice for sending a tip we printed. Send us your tips via the Windows Secrets contact page. |
The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.
Related posts:
