Monday, April 13, 2009

Conficker Eye Chart: How it works

Conficker Eye Chart: How it works

Mon Apr 13, 2009 3:53PM EDT

Many readers have been wondering what the easiest way is to determine whether their computer has been infected with the Conficker worm. Previously I've pointed them to this Conficker Eye Chart -- and that recommendation still holds -- but now I want to respond to further questions about how it works.

First, some have looked at the spartan Eye Chart and have worried that it might be, at best, a sham designed to lull you into a false sense of security and, at worst, yet another delivery mechanism for the Conficker worm. It is neither. The Conficker Eye Chart is in reality a very clever way to determine if your computer is compromised, and it doesn't require you to do anything but click one link.

Here's how it works, in brief: Visit the web page linked above and you'll see six images: The three on top are for security software websites, and the three on the bottom are the logos of various open source operating system distributions. The clever part of all this is that the logos aren't actually being served from the web page linked above, but are rather drawn directly from the six different websites to which each logo belongs.

Conficker (as many other pieces of malware) blocks your web browser from reaching many security websites, so if you don't see some of the security logos on the page, you probably have a problem. Why include the open source logos below it? Because if they don't show up, you are probably simply experiencing an internet connectivity problem instead of being the victim of a malware attack.

Whatever you see on the Eye Chart page, just scroll down a bit to determine how to interpret the images in question. Different strains of Conficker will cause a different set of logos to appear (since Conficker.B doesn't block the SecureWorks logo). Of course, you should also remember that many other viruses and worms block access to security software websites, so not seeing some or all of the images could also be a symptom of a different infestation. If you see all the logos, you're probably in the clear.

One point to remember is that Conficker's creators -- or someone -- have been attempting to attack the Eye Chart page directly, so the page may not load at all. If that's the case, don't assume you have Conficker; it's probably just a temporary site outage.

Instead, try one of these other sites, which are also hosting the exact same Eye Chart and which will work exactly the same way. > > >

No comments: