Conflicker virus regenerates April 1st, are you protected?

---

by Luke Wignall - May 31st, 2009

Even my mother felt the need to inquire about the impending virus after watching the news coverage of the possible re-release of Conflicker, she is asking if its real and ought to be concerned, especially as its on April Fool's Day. Before we get into how to prevent it I thought I might offer a great source for good information to research these sorts of events. This is for those that get the ridiculous mass forwarded emails from folks telling of impending horrible viruses that will chew your "C" drive, for those that fall for emails from banks they don't do business with, there is a site you need to be aware of: SANS Storm Center. This institute has been providing training and research on network and Internet security since 1989 and is a trusted source of real information in times like this. Snopes is good for a laugh disproving a myth, SANS is serious people doing real research.

On to the Conflicker virus threat, Marcus Sachs, Director of the SANS Storm Center reports today that as April 1st approaches the International Date Line the virus will regenerate and alter its attack/communication pattern requiring a new anti-virus definition to detect it. What does this mean? In general terms, all things in computing form patterns, whether a count of the data to confirm a file is as big as its supposed to be, to the ports (think TV channels) an application communicates on, to the way an application behaves. These can be identified and a definition of them created, and then that definition is used to identify it in the future.

The problem is that viruses change intentionally to avoid such detection. This is why you must keep your anti-virus up to date and renew the subscription for these definitions annually. If you have not then please call someone like our company to get you protected ASAP, for those wondering we prefer Trend Micro over Symantec and McAfee. Viruses are written to attack known flaws in the software we use every day, and then to spread themselves to another computer and change their appearance on the way. In this they can spread in the wild and accomplish what ever they were written for, usually gathering identities, credit card numbers, or simply converting your computer into a "zombie" that adds yours to a vast network of such controlled computers to create "botnets" to create large amounts of computing power to do other undesirable things (like send spam).

So how to prevent this from happening? Sachs goes on to remind everyone that the answer has not changed:

"As always, we want to remind our readers that if you are doing what everybody considers to be best business practices (firewalls, unneeded services turned off, systems patched, current antivirus software, user education and awareness, good policies, an incident detection and response mechanism, etc.) then you have very little to worry about."

To repeat, by updating your Windows operating system (and keeping it up to date on service packs and patches) you are closing the flaws that they are attacking in the first place. Then having an anti-virus solution inside your network as one line of defense, covering both files as well as email, and possibly one more at the firewall, then you have the means to catch and prevent or at least control any infection. Additionally on the firewall, having some thing that provides more than port filtering is critical. This means stateful (is the information coming in really in response to a request you made, or an unsolicited probe?) and deep packet inspecting is required. The firewall needs to be powerful enough to open every data packet as it were and confirm that what is in it is what was expected and is safe. Keep in mind, if your business or personal information is only worth $150 then go buy a firewall worth that much, if on the other hand its worth much more then take the time to learn about and purchase a commercial grade firewall. We are big fans of Juniper, check out a SSG-5 (there is even a model with wireless, but that is a whole different topic).

The last and most effective is something you can't buy on a shelf, user education. Reminding users that email transported viruses typically come from someone they know...why? Because that person's email client is infected and the virus is using their contact list, and you are on that list. Make sure they are aware that web hunting viruses can infect any unprotected website and lurk until you land on it while browsing. Some simply sit on a site that is a common mis-type of a popular site, goggle.com instead of google.com (was a nasty piece of spy ware). If you did not mean to land on a site, and something pops up, DO NOT CLICK ON THE POP UP. Instead, right click on the box in the task bar across the bottom of your screen and select Close. If you are really concerned, then unplug your network connection and sort out what is happening.

For our customers on Technology Management, or TM as we call it, you should be at the appropriate definition level and recent patches applied, but that said you will hear from us over the next 24 hours as we check this and apply any updates released during this event. For those also on Monitoring we will be keeping an eye on various thresholds to be sure all is well.  For our On Call customers please call us now to schedule a visit to get patches applied and definitions updated. If you are not confident in your anti-virus or firewall solution we can offer answers and get them deployed quickly.  But in any case please feel free to call us (303-831-1101) or email at helpdesk@ck-tek.com if you suspect anything or have any concerns!  We have a page from Trend Micro that we have added our own information to that provides detailed information and removal tips for home users, to see it click here: CKT/Trend Virus site!

It seems like every time we get called out to remove a virus the story is essentially the same. Comments like, "I always postponed updates because they take so long", or "one blew up my computer so I never did it again." Worse are the ones that in hindsight seemed so obvious, "not sure, it popped up and seemed important so I clicked on it". Always be careful, always be patched, always be protected, and use common sense. When something seems odd, trust it is and take time to figure it out. When in doubt, call someone who REALLY does know a thing or two about computers and get their assistance. The money spent on their time may save you a total loss of data, time and money reinstalling your system, and sometimes the worst, the embarrassment of explaining to clients or family or friends why you sent them a virus. Be safe!

- Luke Wignall