Conficker, which is also referred to as Downup, Downadup and Kido, is a worm that affects Microsoft Windows operating system which was discovered at first in November 2008. It checks for defects in the Windows software to designate computers and connect them into a virtual machine which can be dominated remotely by the person behind it. The worm infects the computer and then multiplies to other machines in the network with no human intervention. In this way Conficker has become one of the biggest computer worm attacks.
The worm is able to multiply by file sharing through detachable disks like USB drives. It acts by inserting files into the disks and when the disk is opened in the computer, the AutoPlay dialog box indicates an added option. Once one selects the option, it executes itself and then it can be able to multiply to other machines. It also poses the risk of disabling essential functions on the machine. There are many modifications of the worm that have been discovered up to date. Win32/Conficker. A and Win32/Conficker.B were reported at the end of 2008 while Win32/Conficker. C, Win32/Conficker.D and Win32/Conficker.E was reported recently around April 2009.
The virus was removed by ensuring that Microsoft out of Band Patch was installed to secure the vulnerability. Microsoft also advocated for the use of the current Windows Malicious Software Removal Tool to eradicate the worm. Network administrators made use of the blocklist that was offered by F-Secure in this way they prevented it from attacking the websites. The United States Computer Emergency Readiness Team (US-CERT) ensured that the autorun command was disabled in order to protect the computer from infected USB. US-CERT has developed a network-based tool to identify Conficker worm attacks in national and state organizations. Various antivirus dealers including McAfee, Panda Security, BitDefender, ESET, F-Secure Kaspersky Lab and Sophos helped with detection antivirus that was removing the worm.
In 2009, Felix Leder and Tillman Werner of Honeynet Project were able to realize that Conficker infected networks that had a noticeable mark when inspected remotely. They were able to realize that the modifications D and E of the worm can be partly reverse-engineered. This gave the researchers an opportunity to copy the worm network’s command packets thus being able to make out infected machines all together. Signature information for various network inspection applications is accessible such as NMap and Nessus. It was also dispersed by being able to identify it in its inactive form through checking the broadcast domains for repetitive ARP requests. (Markoff)
The conficker caused a lot of damage in many computers and networks in many countries. Research taken showed that by January 2009, the projected infected machines by conficker varied from 9 million to 15 million. In Europe, the French Navy computer network suffered an attack by Conficker on 15 January 2009. The network consequently separated leading to many airplanes in various airbases to stop operating because flight procedures could not be applied. The United Kingdom Ministry of Defense stated that its main systems and desktops were under attack. It had multiplied across administrative offices, Royal Navy warships and submarines, hospitals in Sheffield declared that many of their computers were infected. In the same year on February, the Bundeswehr, who are the Federal Republic of Germany, reported that around hundred of their computers were under attack. In Manchester City Council’s IT system it was reported that over 1.5 million pounds in losses had been experienced.
The cost of recovering from the worm attack cost a lot of money to search and find the culprits. By 13th February 2009, Microsoft Company was offering a reward of 250,000 U.S Dollars to anybody with information that could lead to arrest of those behind the virus. Working Group members in 2009 declared that Ukraine could be the place where the worm had originated. Details were not given further for fear that the culprits would be able to hide. Money is still being used to help catch those responsible since it has been hard to know where the worm was created.
Companies should have developed strong passwords strategies with current security updates for their computers. This can be done by changing the passwords often and in most cases using complex passwords for the system. Companies and individuals should have used special characters and numbers and avoid any simple words. It is important that they used different passwords on different websites and mostly very long passwords especially those sites that contain sensitive information like bank accounts or credit cards. Companies could have also used Password Management System like Identity Safe which will be able to track the passwords and complete forms repeatedly. Individuals should ensure that computers do not have any open shares to avoid being infected.
They target computers that do not have accepted updates for desktops and servers in the network. A firewall is expected to protect personal computers and this should have been enforced. Antivirus that is updated on a regular basis should have been installed to ensure that the worm is not able to access the computers. Those who did not have the genuine version of Windows were most affected because reproduced systems are not able to get updates and patches from Microsoft. Individuals should also ensure that they avoid free security scans that appear in most websites since many a time they are counterfeit. These security scans infect the computer as they execute without your knowledge. Individuals should also ensure that they close autorun options that appear while trying to open the USB disks and this infection would have been avoided.
Works Cited
Markoff, John. “Computer Experts Unite to Hunt Worm”. New York Times. 2009. Web.