Beware! Conficker Virus

[cribbj]

Just a heads up about a pretty nasty little worm that has just hit our site over in Algeria. It has taken down several of our servers, and most desktops are infected, too.

Apparently it's propagating throughout the world in anticipation of playing a very nasty practical joke on many people on April 1. Microsoft have offered a $250,000 reward for finding the author and turning him in:

http://blogs.technet.com/msrc/archive/2009/03/27/update-on-conficker-d.aspx

Our IT people are trying to zap it now, but not having much luck as it has quite a sophisticated regeneration mechanism and it seems to spring back to life after they think they've killed it.

For the moment, our proxy server is still up, so we still have an Internet connection, however our mail server is down, as well as several of the servers that do data harvesting from our plant process control system.

If any of you are involved in IT or process control systems, I would strongly recommend you be extra vigilant over the next few days, and make sure you have the latest patches installed for your Windows machines and AV software. Our Sophos AV software detected its arrival, but couldn't stop it from propagating. Whoopee.

We think we may have been infected by a trainee (university student) who simply connected an already infected USB memory stick to our system.

As usual, it's only affecting Windows machines, so those of you who are on Macs or Linux boxes needn't worry......

 

[Jake Breyck]

LOL at you windows users ;-)

 

[MWP]

^^^ Agreed

... and running Windows based servers is such a bad idea for so many reasons.

 

[-Nemesis-]

Hehe 1st is almost over down here, so we know the outcome cribbj

 

[andrew k.]

John,
Thanks for that. I found cornflicker on a DataTraveler 4 GB flashdrive, made by Kingston. It was fresh out of the package. I checked it due to your warning.
All other drives checked at my site. So far no infection.

 

[JBrady]

John,
Thanks for that. I found cornflicker on a DataTraveler 4 GB flashdrive, made by Kingston. It was fresh out of the package. I checked it due to your warning.
All other drives checked at my site. So far no infection.

Now that IS an interesting find.

Flash drives are so abundant that it would be fairly easy to infect multiple drives and "re-package" them as new... of course that would be much more expensive than the spam of email dispersment strategy. It would take a funded attack.

 

[cribbj]

Since my last post on 28th March, our site has been completely down trying to eradicate this virus from our machines. It even found its way through the firewalls to our process LAN and infected our plant DCS. Now THAT'S scary. Interestingly, the virus didn't seem to do anything at all.

We're finally clean and back online, but it was a real wakeup call for us, so we're having an audit done on our firewalls and security systems by an InfoSec outfit. The next one might not be so benign as this one was.

As it turns out, we believe the initial infection was done by a college student trainee, with his USB memory stick. We've subsequently found the virus on several other fairly new memory sticks as Andrew mentioned.

 

[Jake Breyck]

There is a simple and fairly cheap fix to never have that problem, run unix.

 

[cribbj]

Jake, I couldn't agree with you more, on a single user, single machine basis. I run Ubuntu as my preferred O/S, and XP when I have to.

Unfortunately, for a crude oil plant in the middle of the Algerian Sahara, with a $10 MM process control system that has Windows based operator stations, it ain't quite so simple, and it's definitely not cheap to switch.