Tech Tuesday: Conficker computer virus could strike again
From Information Resources and Technologies
A malicious software worm, known as either " Conficker" or " Downadup," was circulating computing networks for several months before finding its way into the UST domain on March 17.
Sophos anti-virus consoles on local PC computers began seeing and reporting files infected with Conficker last Tuesday, and although the worm spread fairly quickly it was prevented from affecting large segments of the UST network by Sophos and a patching effort by IRT Client Services in January.
Although the expected outcomes of Conficker are unknown, IRT is taking several proactive steps to stay ahead of any potential outbreak. Since the initial reports of the worm hitting campus on March 17, IRT has run the Microsoft Malicious Software Removal Tool on all Windows machines joined to the UST domain, and has set up a Web site with information on what faculty, staff and students can do to protect their personally owned computers.
Conficker is able to spread through a network via network share folders, USB drives and infected machines, exploiting weak passwords on user accounts. Conficker tried logging into the UST domain using NetID information from infected machines while "guessing" the password.
Although multiple failed logon attempts resulted in accounts being locked out, the logon attempts were documented in domain controller logs which allowed IRT administrators to zero in on which PCs were infected. Once a machine was identified as infected, it was shut down remotely and then manually inspected and cleaned by IRT staff.
"By and large," said Craig Grabitske, Client Services CORE team member, "the network performed very well. Our efforts to install the preventive patch on local desktops and central systems servers in January combined with Sophos to keep the vast majority of machines from being infected."
Although the ultimate goal of Conficker is not known at this point, the threat has not necessarily passed. According to an article on CNN.com, a piece of code in a newer variant of Conficker implies that the worm will become active on April 1, 2009. Previous variants of Conficker also launched on specific dates noted in the program code, so the April Fools’ Day launch date is thought to be a legitimate concern.
"At this point," Grabitske said, "it’s really hard to know what to plan for on April 1 because no one seems to know what Conficker is up to. We will continue to keep a very close eye on things and take action when necessary to protect the network."
If the network begins to show signs of a Conficker outbreak, IRT again will shut down infected machines to help prevent them from spreading the infection, and will keep the campus community informed of developments via Bulletin Today Updates and the "alerts" section of the IRT Web site.