Larry Seltzer has always been one of my favorite commentators on PC security, and this week he has written one of the best articles I’ve read in a long, long time. Here’s a sample from Malware is Getting Formidable, But So Are Your Defenses:
You can think of Conficker as being the state of the art in conventional malware. It not only uses an important vulnerability, but it’s a sophisticated blended attack, using a wide variety of mechanisms to spread: pseudo-random domains, dictionary attacks on weakly-protected network shares, USB drives, and more. You can admire the work that went into developing Conficker once you get past the amorality and greed that inspired it.
But there’s nothing that it does that you can’t protect against with best practices. Almost everyone that was hit by it was running a version of Windows XP that hadn’t been patched in many months. And even if you ran no anti-virus at all, least-privilege, updated software versions and a few other little things like a good firewall would block most of the ill effects of Conficker and most other malware and prevent them from becoming permanent on the system.
I noticed last week that several publications were trying to whip up some hysteria over the Conficker worm hitting on April 1 and causing a security tsunami. Maybe. I’ve only been following the Conficker fuss out of the corner of my eye so I can’t really speak authoritatively on it. But those stories didn’t ring true to me, and my suspicions were confirmed when I went back to the original source that those reporters were using for their fear-mongering, SRI International’s “An analysis of Conficker’s logic and rendezvous points,” released in February and updated last week.
My understanding is that the patches issued by Microsoft last fall sealed the hole solid. The SRI report seems to agree with that judgment:
The patch for this exploit was released by Microsoft on October 23 2008, and those Windows PCs that receive automated security updates have not been vulnerable to this exploit.
Later in the same report, the authors note:
Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches.
They also mention that the threat may be worse in countries where Windows is regularly pirated.
As Seltzer writes, “you can get yourself a pretty substantial level of protection by being scrupulous about a number of these important measures, with the most important one probably being least-privileged access.” I agree completely. Set yourself up with a standard user account, use the Windows firewall or a third-party replacement, be aggressive about updating your system and all important applications (Office, Acrobat, Flash, QuickTime), and run up-to-date antivirus software.
It’s not rocket science.
Update: for more on the Conficker worm, visit the Microsoft Malware Protection Center.
Ed Bott 
Agreed. It’s really not hard to protect a pc.
And yet somehow I have had to clean a relative’s WinXP PC twice in one week (not due to Conficker, I think, but still). Why? Windows Update was disabled. So I added SP3 by hand, set things up as they should, cleaned up as much of the mess as I could by hand, and crossed my fingers.
It’s not rocket science, but some people simply aren’t interested in learning — because there’s always someone they can fall back on to bail them out when things get sticky.
I constantly hear from people who have bought the line that Windows patches cause more problems than they fix — and they are usually told this by some tech “expert” whose word they trust. Problem is, by the time they’re emailing me or calling for help on our radio show, they’re infected as a result of that bad advice from their “expert”.
Then there are the businesses who don’t patch because they want to test new updates, and for some reason, they don’t get around to it as fast as they should. I suspect there are quite a few of those in the Conficker stew, particularly since Microsoft rolled out the related patch out-of-cycle.
Most people I believe get infected from simply not understanding the threat. They don’t run Windows update, they open email attachments or they get suckered into downloading some form of “protection” only to get really infected.
My son is working part time at a local computer repair shop, half of the times he’s running Windows update and doing scans with Malwarebytes, almost all the infected computers aren’t updated and many don’t have up to date AV running. The problem with the free trials of Norton or Trend Micro is that so many people ignore the subscription notice you get and just keep using an out of date AV.
Strongly agree with Mark S. Microsoft does the public a dis-service by not including an anti-virus program with the operating system. A friend of mine had an anti-virus on board, but it had expired five years ago. She simply did not understand why the Taskbar icon was red, and what the pop-up message meant at boot.
Most users are not computer “rocket scientists” and so many computer writers (and Microsoft!) have failed to help educate Mr and Mrs America about basic computer usage, including simple file management and security.
Bye the way, possibly because this lady had Update doing automatic updates, she was amazingly malware free! She also did not visit risky sites.
MGO, I think that’s all going to change this summer. They used to include AV software with DOS, but that option vanished when Microsoft became an antitrust target.
Because of automated updates, I think it’s certainly gotten easier to protect a Windows-based PC, but there are those who will refuse to install updates because they don’t want to go through restarting their machines.
I thought the implementation of XP’s “Install Updates and Shut Down” was a great advance in the addressing this issue — provided that users left the default choice for automatic updates.
And I think the ready availability of decent free anti-virus and software-based firewall applications is practically a public service for some users who either can’t afford or won’t pay for anti-virus software and firewalls. Or, as Mr. Schneider correctly points out, the trialware AV or Internet security suites goes out of date, and users won’t bother updating or are too ignorant to update.
I also think the proliferation of pirated Windows OSes is a great contributor to the virus/trojan/malware epidemic, and I don’t know how that could possibly be addressed.
Too bad the only people that are reading that article is the one that actually care about security in windows. Hopefully someone find the article accidently and help them secure there pc.
Most of the people who I have come across that didn’t allow regular updates refer to some third hand comment they heard about a disastrous update that happened to someone else.
One way that Conficker spreads is via USB flash drives. For the best way to protect your computer from infected thumb drives see
The best way to disable Autorun for protection from infected USB flash drives
http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives
You can also test your defenses against malware on USB flash drives using my test autorun.inf file described here
Test your defenses against malicious USB flash drives
http://blogs.computerworld.com/test_your_defenses_against_malicious_usb_flash_drives