There's been lots of hype about the fact that the latest variant of
the Conficker worm is set to start communicating with other computers
on the Internet on April 1--like an April Fool's Day time bomb with
some mysterious payload.
But security researchers say the reality is probably going to be more
like what happened when the clocks on the world's computers turned to
January 1, 2000, if that.
"It doesn't mean we're going to see some large cyber event on
April 1," Dean Turner, director of the global intelligence network at
Symantec Security Response, said on Wednesday.
It's likely that the people behind Conficker are interested in using
the botnet, which is comprised of all the infected computers, to make
money by distributing spam or other malware, experts speculate. To do
so, they would need the computers and networks to stay in operation.
"Most of these criminals, even though they haven't done
something with this botnet yet, are profit-driven," said Paul Ferguson,
an advanced-threats researcher for Trend Micro. "They don't want to
bring down the infrastructure. That would not allow them to continue
carrying out their scams."
To help clear up some of the confusion about Conficker, here are answers to common questions people may have.
What is Conficker and how does it work?
Conficker is a worm, also known as Kido or Downadup, that cropped up in November. It exploits a vulnerability in Windows that Microsoft patched in October.
Conficker.B, detected in February,
added the ability to spread through network shares and via removable
storage devices, like USB drives, through the AutoRun function in
Windows.
Conficker.C, which surfaced earlier this month,
shuts down security services, blocks computers from connecting to
security Web sites, and downloads a Trojan. It also reaches out to
other infected computers via peer-to-peer networking and includes a
list of 50,000 different domains, of which 500 will be contacted by the
infected computer on April 1 to receive updated copies or other malware
or instructions. Previous Conficker variants were written to connect to
250 domains a day.
Among the domains targeted by Conficker was that of Southwest Airlines,
which was expected to see an increase in traffic from the botnet on
March 13. But a Southwest spokesman said the worm had had no impact on
the site.
Where did Conficker come from?
Some pieces of the Conficker code and methodologies it uses are similar
to those used in previous botnet worms created by the underground
operation known as the Russian Business Network and cohorts in the
Ukraine, Ferguson said. But while there is speculation, researchers
don't know for sure who is involved, he said.
"There is some evidence to indicate that this might at one point have
been tied to distribution of misleading apps and rogue affiliate
networks," said Symantec's Turner.
How is it different from other Internet worms?
Conficker has grown increasingly sophisticated with each iteration,
with features designed to increase its longevity, most likely in
response to researchers' attempts to block it. After researchers began
preregistering domains targeted in the code, the Conficker.C authors
upped the ante by having the algorithm generate 50,000 possible
domains, instead of just 250, throwing a big roadblock into efforts to
counter the worm. The creators also are using advanced encryption to
obscure the instructions detailing which random 500 of the 50,000
domains will actually be contacted on April 1.
It appears the authors may also be intending to create domain
collisions by targeting domains that are already in use by legitimate
owners, Ferguson said.
"They're creating collateral damage, throwing a monkey wrench into our
ability to counter them," he said. "What they're trying to do is make
our lives miserable on any efforts to mitigate the threat."
Some of the tactics, including the domain randomization, inter-node
communication, and use of strong encryption, are new, according to
Ferguson.
"They are using tactics that are probably the most complex and
sophisticated botnet tactics we've seen to date," he said. "This is
very professionally architected design and development."
Added Turner: "This is the first widespread distribution of a
worm since about 2004," when Sasser came out. That worm was believed to
have infected as many as 500,000 computers.
What is being done to fight Conficker?
Microsoft has partnered with all the major security companies and
domain registrars and registries to form the Conficker Coalition
Working Group. The parties are collaborating on research, trying to put
the pieces of the puzzle together and figure out who is behind the worm
and how to stop it. They are using techniques like behavioral analysis
of the code and reverse engineering, but researchers don't want to
reveal too much information on their efforts. "We have made headway but
I'm hesitant to talk about how far we've gotten," Turner said.
Researchers in the U.S. are preregistering domains that are targeted,
but experts in Canada are going even further. The Canadian Internet
Registration Authority is taking steps to block domains generated in
Conficker code that fall in the .ca top-level domain from being used in
the botnet, the nonprofit agency said.
"If other domain registries were able to do the same thing it would go
a long way toward helping mitigate some of the ability for the botnet
to breathe," Ferguson said.
Conficker has proved to be such a nuisance that Microsoft has even offered a $250,000 reward for information leading to an arrest in the Conficker case.
What can I do?
Computer users should apply the Microsoft patch and update their antivirus and other security software.
Windows users should also apply a Microsoft update for the AutoRun feature
in Windows that was released in February. The patch allows people to
selectively disable the Autorun functionality for drives on a system or
network to provide more security, to ensure that it is truly disabled.
In addition to putting USB drive users at risk of Conficker and other viruses, the Autorun functionality has been blamed for infections from digital photo frames and other storage types.
Panda also has released a free "vaccine" tool for blocking viruses that spread through USB drives.
Microsoft has a Conficker removal tool. More botnet information and removal resources are on the Shadowserver Web site.
