Thursday, March 19, 2009

Conficker approaches "April Fools": a note about McAfee subscription verification

John Markoff has a disturbing story in the New York Times today (Thursday, March 19) about Conficker, with sci-fi channel speculations about what will happen April Fools Day when, according to lore, it activates on about 12 million computers, mostly in corporate networks.

Some reports have it evading all modern anti-virus software, and needing only one domain registered in order to steal information and perhaps corrupt financial accounts linked to these millions of machines.

The link (“The Conficker worm: April fool’s joke or unthinkable disaster”) is here.

McAfee’s latest link, that I could find, is here. in Nov, 2008; there is a “gen” version in Jan. 2009 with no description.

I suspect that there will be a lot of bulletins from CERT on this soon.

I’ve noticed another oddity in my McAfee service recently.

Recently, I’ve noticed that once in a while McAfee says “computer is not protected” and requires me to verify the subscription, which always works and turns the green light back on. Recently the subscription date extended because of a price change, I think. Have other McAfee users noticed this?

I do see one interesting anomaly on the account. I had McAfee on an older (Windows 95 era) laptop that I no longer use. From the record, it looks like the company transferred that to one of my other computers automatically to extend the date. Is this how it works? McAfee has some complicated logic on the use of the contract on more than one machine. Can this explain the subscription verification messages?

Update: March 30, 2009

The latest McAfee entry, dated March 10, 2009 is here.

The US-CERT webpage for Conficker is here.

March 31, 2009

NBC Washington is saying that you check to see if you are infected with Conficker by just trying to access the website of a major anti-virus company like McAfee or Norton, or Webroot (for Spysweeper, which Geek Squad likes). I doubt that is correct. I think you should try to run the anti-virus package, and try testing if for updates. Ar least McAfee updated to March 30 early today when queried.

Does anybody know if the secondary threat starts April 1 2009 "local time" or GMT? If GMT, we'll know what happens shortly after 8 PM tonight EDT. If local time, we could look at what happens in Australia now. If someone knows the time zone issue, please comment.

I have a feeling that April 1, 2009 will be busy days for Geek Squad and Geeks on Call.

No comments: