Skip to content
Science, Maths & Technology
Author:

Rise of the zombie army

Updated Monday, 26th January 2009

Following the arrival of the Conficker worm, Mike Richards give us several good reasons why we should keep our computer antivirus software up to date

This page was published over five years ago. Please be aware that due to the passage of time, the information provided on this page may be out of date or otherwise inaccurate, and any views or opinions expressed may no longer be relevant. Some technical elements such as audio-visual and interactive media may no longer work. For more detail, see our Archive and Deletion Policy

Waiting for the zombie army

Somewhere out there more than 9 million Windows computers are about to wake up and do something - but no one knows precisely what will happen. These machine have been infected by a software worm known as Conficker which first appeared late last year; and although it has yet to do much damage is causing real concern to computer security experts.

A worm is a computer program which spreads by copying itself from machine to machine over a computer network. Computer viruses are a different type of program, which are spread by attaching themselves to other pieces of data such as screensavers, graphics and email messages. Worms, viruses and trojan horse programs can all be described as malware.

Worms have been around for decades now and have been becoming increasingly dangerous. The first really dangerous worm was the Morris worm released in 1988 by Robert Morris, a student at Cornell University in the United States. Morris' worm did not contain any malicious code, but as it replicated across the Internet, the worms consumed ever-increasing amounts of computer power; making machines sluggish or completely unresponsive. The American government later estimated the Morris worm had cost between $10 million and $100 million to clear up, Morris himself was convicted and heavily fined.

Since then, programmers have been coming up with ever-more sophisticated worms that exploit loopholes and bugs in computer software. Microsoft Windows is the most commonly exploited program in part because it can be found on nine in every ten computers, but also because Windows is an enormously complex piece of software. Microsoft tries to ensure that new versions of Windows are compatible with previous versions so that users don't have to throw away applications when they upgrade their operating systems. Consequently, newer versions of Windows may contain several chunks of code that all perform more or less the same task. Even more complexity is introduced by software and hardware manufacturers who write software to work with Windows. Many of Windows' problems are actually nothing to do with Microsoft, but are instead created by the writers of software drivers who either fail to follow Microsoft's guidelines or inadequately test their programs. The result has been an enormous number of weaknesses in Windows and software running on PCs. It is estimated that the most common version of Windows (XP) contains approximately 50 million lines of programming code; with millions more in all of the applications and drivers installed on an average computer. Identifying and fixing bugs and loopholes is a monumental and never-ending task.

Conficker creeps on to Windows machines using a bug that existed in the so-called Server service which ticks away quietly in the background on all computer running Windows 2000, Windows XP, Windows Vista and Windows Server. Microsoft announced the weakness in October 2008 along with a software patch that eliminated the security flaw. During the last three months, all Windows machines should have picked up the security patch and protected themselves from infection, but it is estimated that at least one third of machines are still unprotected from Conficker.

Shamefully, many large organisations including the NavyStar/N* desktops found on Royal Navy warships and the Sheffield Teaching Hospitals Trust had not performed the updates to their Windows systems and have been infected in the last few days. Huge amounts of time have been spent clearing up the infection and serious questions must be asked about these organisations' computer policies. The Sheffield infection was made possible after automatic updates to Windows machines were switched off on all computers belonging to the Trust. This decision was made when a PC used in an operating theatre, performed an update and rebooted during surgery (this did not threaten the life of the patient). Rather than disable or modify the update procedure for machines in critical areas, a blanket decision was made that eventually caused even more damage.

Conficker can find its way on to a computer either through a network connection, or by being carried on a USB memory stick. When the  worm infects a computer it immediately sets to work disabling the built-in protection. The automatic update service which would normally download the protective patch is switched off, as are the features that prevent malicious software running on the machine and all the warnings. Once Conficker is sure it can't be tracked, it makes a call to its creators (believed to be in Ukraine) informing them that the machine has been compromised. The PC has become what is known as a zombie.

Conficker is meanwhile busy running a tiny Web server program (just like the one which sent you this page) whose sole purpose is to deliver more copies of the worm. The worm scans nearby computers looking for others that are vulnerable to infection, if it finds one, that machine is directed to Conficker's Web server, downloads the worm and the infection spreads.

Remember Conficker's call home? Well the reply to that call is a bundle of other malicious software which (amongst other things) try to weasel personal data from the infected machine by cracking passwords. If this wasn't worrying enough, each of these infected machines is ready and waiting to receive additional commands from Conficker's creators in the future. They could all receive copies of software designed to record key presses in the hope of discovering passwords or credit card numbers; or they could be turned into spam machines, each disgorging thousands of spam emails an hour on to the Internet.

Perhaps most worrying, the infected machines could be used to create a denial of service attack on a Web site with the intention of forcing it offline. Denial of service attacks are incredibly simple to perform, almost impossible to prevent. Every time a computer requests some information from a Web server, it requires a tiny amount of processor time and bandwidth. Send sufficient requests in a short enough time and the server can do nothing more than respond to these requests - eventually they either saturate the bandwidth of its network connection or they consume all of its processor time. The site is no longer available to legitimate users and remains offline until the attack subsides.

In recent years, actual, or threatened denial of service attacks have been used to extort money from companies. They are informed that unless a large sum of money is paid, their servers will be targeted for an attack and they will lose business. It is believed that many of these extortions have links to Eastern European criminal gangs.

Denial of service attacks have been used to target the very root of the Internet. In 2002 and 2007 attacks were made on the DNS root servers which are ultimately responsible for turning the URLs you type into your web browser into machine-readable numbers. In 2002, nine of the thirteen servers were completely immobilised for approximately one hour; the attack in 2007 lasted longer but did not crash any of the servers. The culprits were never caught.

What if I've been infected by Conficker?

The first thing to do is remove the software itself. Microsoft have a Malicious Software Remover tool which has been updated to deal with the worm. You can download it from and following the link to the program. Symantec have a similar tool at  which is also free to use. Run the tools and follow any instructions you receive.

Once your machine is free of infection the first thing you must do is to manually connect to Microsoft's Windows Update Server. If your machine has been infected, Conficker will have switched automatic updating off so you will need to do the update by hand. The link to Windows Update can be found on the Start menu at the bottom left of the screen or on the Tools menu in Microsoft Internet Explorer. Alternatively you can go to the update page at (this only works in Internet Explorer). Follow the instructions to download all the updates for your machine. If there are any, install them and restart your machine, then repeat the process until there are no more applicable updates.

Next, you have to ensure your machine continues to receive updates as and when they are released. The settings for this are found in the Control Panel (go to the Start menu, then Settings and choose Control Panel, then Automatic Updates). Make sure the Automatic (recommended) setting is selected. Tell the computer to look for updates every day and choose a time when the machine is likely to be on, finally click OK.

After that, return to the Control Panel and choose Windows Security Center. Make sure each of Firewall, Automatic Updates and Virus Protection are ON.

Next, make sure your antivirus software is up-to-date. If you don't have an anti-virus program, or if your software is out-of-date, you can download a free version of Anti Virus Guard from - this is an excellent program which should give you adequate protection from further infections. Once your anti-virus program is installed and up-to-date, run a complete scan of your computer to look for any infections and remove them.

Now all you have to do is make sure all your other computers are equally protected.

Although Conficker cannot infect computers running Apple Mac OS X or one of the versions of Linux, it can infect emulated versions of Windows running on those computers using software such as VM Ware or Wine. If you use Windows under emulation on a Mac or Linux computer, you will also need to check it is not infected. And it is worth pointing out, that there are malicious software developers who are trying to attack Mac OS X and Linux. Although there are no major threats at the current time, there is no reason to believe that either operating system is immune to potentially devastating attacks. If you run one of these operating systems you must be equally diligent in applying software updates as and when they become available.

So we're still waiting to find out what, if anything, will happen when Conficker finally wakes up. All we can be sure of is that this will not be the last time it happens; the next generation of malware is already being hatched in computers around the world.

 

Author

Ratings

Share

Related content (tags)

Copyright information

For further information, take a look at our frequently asked questions which may give you the support you need.

Have a question?