Last Updated: 2009-04-01 16:46:56 UTC
by Marcus Sachs (Version: 3)
UPDATE 1: Nothing significant to report (yet). We had several readers contact us over the past 24 hours with some minor impact but so far no reports of anything newsworthy. Many organizations have been proactive about scanning their systems and finding either unpatched or Conficker-infected computers that were subsequently removed for repair. One reader reported that there might have been some impact on a domain controller due to Conficker brute-force password cracking efforts. The Conficker Working Group (www.confickerworkinggroup.org) is working overtime to contact owners of netblocks that show signs of Conficker infections. Their website has been unavailable at times due to lots of interest, which I suppose is a good thing. If you are patient it will eventually load. Insecure.org also suffered DoS conditions for a while when the updated nmap version was released. Overall, this exercise has raised a lot of awareness and it's been a good opportunity for organizations to review their patching and compliance procedures. It's also a good reason to search for and protect any embedded systems running older versions of Windows that cannot be easily updated or replaced.
UPDATE 2: Alan Paller, Director of Research at the SANS Institute, was interviewed this morning on a Washington, D.C. local TV station about Conficker. The interview is at http://www.myfoxdc.com/dpp/news/local/040109_conficker_worm.
In just a few minutes it will be April 1st at the International Date Line. Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen. There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to "help" those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers. Our official Conficker page is at http://www.dshield.org/conficker, that's where we have links to all of the software and analysis that we know is trustworthy.
As always, we want to remind our readers that if you are doing what everybody considers to be best business practices (firewalls, unneeded services turned off, systems patched, current antivirus software, user education and awareness, good policies, an incident detection and response mechanism, etc.) then you have very little to worry about.
If you detect anything NEW with respect to Conficker over the next 24 hours please let us know via our contact page. We'll sound the alarm should something bad happen. Otherwise, back to work and Happy April Fool's Day!!
Marcus H. Sachs
Director, SANS Internet Storm Center