The last few weeks has seen a lot of press about the Conficker worm. I not not recall any other virus in the last 5 years that has received the am mount of publicity as this one.
What makes this particular worm family so special? I think there are two possible explanations for its rising fame.
Firstly, the current financial down turn is affecting antivirus and security software vendors bottom lines. Not to mention a growing trend for home and small business users trying to save money and use free antivirus products. So to try and soften the damage they are talking up the Conficker worm and trying to get businesses to switch vendors or upgrade the products that they do have.
The second reason is that this virus/worm is unique and warrants very close inspection of your vulnerability to it. However the worm_downad.ad, Trend Micro’s name for the Conficker worm, did cause some trouble, and may have force more complacent organizations to rapidly upgrade to the latest service packs and patches.
But the fact that a virus exploited Microsoft Windows vulnerabilities is not particularly unique.
Worm_downad.kk and worm_downad.E have been less than noticed. I have not seen either show up yet.
So, if you got caught by the .AD variant you would have more than likely dealt with the vulnerabilities and updated the security software you use. As it stands then, you are completely safe, for now.
The one thing the conficker worm does well is it attempts to spread using several mechanisms, including a rpc vulnerability, file shares, usb autorun etc. Once infected you will not be able to run Windows updates, get to antivirus sites and many more.
If you want a quick way to find infected machines remotely check to see if the Windows Update and BITS services have been disabled. It is really quite easy to write a WMI script to do this.
How will the next variant of Conficker affect us? If new exploits are discovered and adapted into the code of the worm then you may need to re-assess your environments patch and security levels. But for now no one can really say.You can avoid the issue completely by updating your antivirus protection software, applying security patches and monitoring your environment for different behavior.
Don’t stress about it though, life goes on.
May 6th, 2009
I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work. Look forward to reading more from you in the future.