Removing Conficker in 2015

In early August a research paper was published by a team of Dutch researchers trying to determine the reasons why there are more than 1 million computers worldwide still infected with variants of the Conficker malware (others known as Downadup) more than 6 years after it began spreading.

The reasons appears to be that the infections are present on systems that are no longer maintained or are embedded systems that cannot easily be accessed to carry out the removal of the malware. In addition, ISPs (Internet Service Providers) around the world have worked with their customers to remove this malware. However while their efforts have paid off, when the malware is removed efforts are not made to patch the now cleaned up systems and they quickly become infected again.

The research paper also points out that 15% of the systems infected with GameOverZeus are also infected by Conficker. The security vulnerability (CVE-2008-4037, CVE defined) exploited by Conficker in order to propagate itself affects the following versions of Windows:

=======================
Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Vista (32 bit and 64 bit) with or without Service Pack 1
Windows Server 2003 (32 and 64 bit) Service Pack 1 and Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Serer 2008 (32 bit and 64 bit)
Windows Server 2008 for Itanium-based Systems
=======================

This security vulnerability was resolved by Microsoft with this security bulletin.

In order to assist with removing this malware from any systems I would like to offer the following advice:

=======================
For single computers used for home or small business use (up to a maximum of 5 computers):
=======================

  • If you don’t wish to continue using your old computer:
    Back up your important data to external media e.g. a USB jump/flash drive, an external hard disk or recordable CD/DVD. Computers than can run these above mentioned older versions of Windows should still have all that you need to back up your data e.g. USB ports and CD/DVD recording (burning) drives.
  • Responsibly dispose of your old computer and upgrade to a new computer. Follow the advice on the “Protecting Your PC” page to keep it free from malware.

=======================
If you want to continue using your old computer:
=======================

  • Disconnect the infected computer from the internet.
  • Using a malware free computer (e.g. a friends or a computer at an internet café) to download the Conficker Removal tool from Symantec. Bring the tool to the infected using an external hard drive, USB jump/flash drive, or CD/DVD. Run the tool by double clicking it.

The tool will remove all traces of the infection from the computer. I tested this tool on a Windows XP SP3 computer (disconnected from the internet) and it took just over 5 minutes to complete a full scan of the system.

  • If you suspect any other malware may be present on the infected computer, I would suggest using another computer to download any of the following free tools and transfer those tools as described above to the infected computer. Complete a full system scan with any of these tools.

I tested all of these tools using a Windows XP SP3 system not connected to the internet. All tools were able to complete scans without the assistance of an internet connection:

Microsoft Safety Scanner
Sophos Virus Removal Tool
Malwarebytes Anti Malware (free edition)

For Malwarebytes, the included definitions dated from June 2015 since no internet connection was available. Updating using this MBAM rules tool appeared to succeed but had no effect. The Microsoft and Sophos tools did not have this limitation.

  • Once the computer is free of malware, ensure the Window Firewall is turned on, re-connect the computer to the internet.
  • Visit Microsoft Update (for Window 2000, Windows XP and Server 2003 systems) to download and install all necessary security updates. Windows Vista and Windows Server 2008 systems can use the built-in Windows Update to download all necessary security updates.
  • Install anti-malware software that is compatible with your computer. Free and paid for software products are listed on this page. Corporate anti-malware software is listed here. Contact the manufacturer/vendor of the software to check it’s compatibility with your version of Windows if you are purchasing a paid for version. If an anti-malware product is not available for your version of Windows, disconnect the computer from the internet (to significantly reduce the possibility of malware infection) and consider purchasing a new computer sometime in the future at a time convenient to you.
  • If you wish, disconnect the computer from the internet (see the bullet point above about available anti-malware software). Continue using your computer as normal.

Update: 7th September 2015:
Please note that my suggestion to disconnect a Windows computer (that no longer receives security updates on a monthly basis) from the internet is an effective suggestion to reduce it’s risk of infection however air-gapping (defined) a device is not perfect solution.

If a device such as an external hard disk or USB flash/jump drive is connected to a computer not connected to the internet, it can still become infected if an infected file is present on this storage device and that file is transferred and loaded/opened on that computer.

To attempt to address some of the pitfalls of air-gapping I would recommend scanning all files that you intend to transfer using an up to date malware scanner or use VirusTotal.com (only for single or a small numbers of files, don’t upload files that contain private/sensitive data) before using files on older Windows systems to minimize the risk of malware infection. The link referenced above referring to air-gapped systems includes further advice which you may or may not decide to implement.

=======================

=======================
For computers for small businesses or larger businesses (more than 5 computers):
=======================
While the above steps to remove malware can be applied to any number of computers, the process becomes tedious and time consuming when more than 5 computers are infected. I would recommend seeking the assistance of qualified corporate IT security companies in your locality to perform a malware clean-up. Such companies generally offer a network security assessment and can provide on-going assistance to keep your network safe from security threats.

US-CERT has written an in-depth easily to follow guide with advice on how to remove the Conficker malware and prevent it from spreading further.
=======================

I hope that the above advice and resources are assistance to you in removing the Conficker malware from any Windows devices that you may have.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s