TechPublishing Now MS Certified

TechPublishing Now MS Certified
Professor Robert McMillen, MBA Microsoft Certified Trainer and Solutions Expert

Saturday, April 7, 2012

Don’t be Fooled. Conficker is Just Getting Started

Don’t be Fooled. Conficker is Just Getting Started

Don’t be Fooled. Conficker is Just Getting Started
By Robert McMillen- Koin’s Tech Guru
Last week, the big hoopla about Conficker (aka Downadup) activating on April 1st was thought to be a dud. Reverse engineering showed that something was going to happen on that day, and some people said the virus was going to activate while others said it may be Y2K all over again. Conficker is no dud, and it’s just gaining momentum while the world media feeding frenzy has just been diverted elsewhere. Read on and I will explain what did happen on 4/1/09. In Paul Harvey’s absence, I will tell you the rest of the story.
On 3/30/09, Symantec Corp. warned that all the searching for solutions in Google and other search engines for the repair tool to fix Conficker was causing people to be directed to sites that were really agents for spreading other viruses just by visiting the infected site. That would be an indirect, although powerful, casualty to the Conficker tale.
However, the real story is that the Conficker.C worm continues to spread throughout the world through many un-patched computers helped along by (strangely enough) Microsoft. Because of the “Windows Genuine Advantage” program, computers that have an illegal copy of Windows are unable to get updates that secure their computers. The computers that are infected can’t get updates and they are the ones that will attack us worldwide (an estimated 10-20 million so far). Although Microsoft does make certain patches available without WGA, the people who would normally get a hacked copy of Windows by unscrupulous resellers aren’t going to know enough to get the patches (in most cases).
CNET.com (a division of CBS) is speculating that the Chinese government was behind Conficker and is using it as a test bed for cyber warfare. The code embedded in the virus is proving that to be a real possibility.
Another interesting fact is that the IP addresses of the Ukraine are the only ones not on Conficker’s attack list. That leads me to think of the possibility that China either hired or duped people in the Ukraine to host the mother ship that will ultimately control the attack.
So what did happen on April 1st? A lot more than you think. Up until that day, the virus was generating a list of website addresses to contact the attacking computer in the amount of 250 per day. After April 1st the list went to 50,000 per day. That can be really confusing. I remember trying to explain this to my wife and my sister while we were out to dinner on Saturday night, and their eyes glazed over like drizzle on a pound cake until I got to the end of the story. Just hang in there while I do my best to explain.
First, the virus got released into the wild last October. This is referenced now as Conficker.A. It spread by USB and CDs inserted into Windows computers and launched during the Autorun feature. People installed the virus without realizing it. Turning off Autorun became the single most important task of any IT administrator. It then spread by seeking out other computers in the network that have weak passwords.
Conficker.B got released a couple of months later. As long as you have your computer up to date with Windows Updates, then you’re considered safe. If not, you need to eradicate the virus through an antivirus or virus removal tool. Still, nothing happens to your computer other than blocking Windows updates and antivirus websites.
Conficker.C started popping up in February. It spread the same way and the fix was the same, but it was tweaked just enough to cause antivirus companies headaches as they came up with another patch.
There was a mathematical equation in the virus. On every infected computer, it started to look for the mother ship computer to tell it what to attack. The equation caused a random generator to look for 250 different websites every day until April 1st. Governments started to coordinate blocking those addresses. The infected computers had no way of connecting to the mother ship using one of those addresses. Thanks to the coordinated effort there was no way for the mother ship to launch the attack.
Some people who were able to reverse engineer parts of the virus realized something big was going to happen on April 1st, but they weren’t sure what that would be. The media perked up its attention after CBS 60 Minutes devoted a lot of time to exposing the virus.
April 1st came and went, and people thought nothing happened, but the virus became a larger threat because it had changed from looking for the mother ship computer on 250 websites, to 50,000 different websites every day. There’s now no way that governments and security experts can block this many websites without knowing the mathematical equation to which site will be used to coordinate the attack. For now, we have lost.
Going forward, Conficker.C can use these millions of infected computers to attack in any way it chooses. Your computer may be safe from attack if your Windows updates and antivirus patches are up to date, but that doesn’t mean you won’t be affected when these millions of computers decide to coordinate an attack. Register.com went down on April 1st and continues to have problems. Although it was thought to be Conficker, it wasn’t, but it does go to show you that even a small amount of zombie computers can bring down many large websites at once any time they want.
How can we keep this from happening indefinitely? For Pete’s sake, this gets worse every year! There is one hope and that is the switch from the antiquated IPV4 to IPV6. We are expected to make that change in 2-3 years when we run out of the paltry four billion IP addresses the world now shares. The new version will give us trillions of addresses and have built in protections against these types of attacks that we currently don’t have with IPV4. Unlike the metric system, which we were never forced to adopt (sorry President Carter), IPV4 will be more easily retired because internet service providers will jack up the rate to not switch, according to many experts.
We will have several more attacks and spotty internet outages until then, and maybe the big one, Conficker.C, will push us there even faster. It sure isn't over yet. The ride is almost at the top of the hill. I hear the chain clattering against the cart as it struggles on the rusty internet rails. Conficker and other viruses are waiting for us at the bottom. Baring their teeth and looking hungry.
For more great tips, check back here and listen to me on the All Tech Radio show at 9:00 Sunday mornings on AM 1360 KUIK and at 10 AM in Seattle on KOL, or listen online at http://alltechradio.com.
If you would like your technical question answered here, just email rmcmillen@koin.com. Even if it doesn’t get answered in the column, I will always answer by email.

Published Tuesday, April 07, 2009 3:53 PM by Devereux