April Fool’s?
Not by a long shot.
While there was no denial-of-service attack, no identify theft on a massive scale, no raging spambot action on the day the most-hyped worm in recent memory was supposed to go into action, it has activated and it’s going to continue to plague infected computers, according to the chief security advisor at F-Secure Corp.
Conficker, which has infected an estimated 10 million computers worldwide, was designed to automatically look for updates from hosts around the Web. “Millions of computers are doing just that as we speak, but there’s nothing to download,” said Patrick Runald.
There could be a couple of reasons for that, Runald said. Maybe the worm’s designers didn’t make a download available, given the amount of press the countdown to Conficker’s April 1 D-Day attracted. “Unfortunately, they’re not stupid,” Runald said.
And efforts by domain registries around the world, including the Canadian Internet Registration Authority, which controls .ca domains, to block URLs the worm seeks out were effective, Runald said.
“Is it because we did such a great job raising awareness and getting people to patch and update? Possibly. Is it because the worm didn’t do anything? Possibly,” said David Marcus, director of security research and communications with McAfee Inc.’s Avert Labs.
“We’ve been around the clock (monitoring) Conficker for the last couple of days … there hasn’t been a lot of activity,” Marcus said.
Conficker first appeared on the scene in September 2008. While the A and B variants of the worm were designed to infect as many machines as possible, the C variant has a different agenda, said Stefan Chenette, manager of security research with Websense Inc.
The C variant had only about 15 per cent of the code of previous iterations, and was designed specifically to protect itself with anti-security measures, he said.
READ MORE:IT World Canada’s Conficker Resource Centre
Given that methodology, researchers anticipate that “the next variant is going to do something massively destructive,” Chenette said. That could be a single massive attack, or perhaps the authors of the worm will rent the botnet out to others for smaller spam or denial-of-service attacks.
Dormant since January, on April 1 the worm began generating a list of 50,000 domain names a day. From that list, it chooses 500 at random and checks to see if an update is available.
“From now on, it’s going to do that every single day,” said Runald. “If you’re infected, you have to worry about it every day.
“It’s a loaded gun. Let’s unload it.”
And just because the worm isn’t updating through the random domain process, that doesn’t mean it can’t update. Runald said Conficker can also update through a peer-to-peer process with other infected machines, a vector that hasn’t received much attention.
“They could do that at any time. But they didn’t,” Runald said.
While registries worldwide prevented the registration of the domain names generated by Variant C of the worm, the designers could have registered a domain name before the worm was discovered and dissected, Runald said.
The good news is the worm isn’t difficult to detect. If you can’t access Microsoft Corp.’s Web site, nor the Web sites of security companies like F-Secure, McAfee or Symantec Corp., there’s a good chance your computer is infected, Marcus said.
Once detected, users can run a tool like McAfee’s Stinger to remove the malware.
According to Runald, the Web site for the Conficker Working Group has links to several free removal tools. But be wary of simply doing a Web search for Conficker removal utilities, he said; many of those on offer actually contain malware.
And make sure to update Windows after cleansing, since one of the effects of the worm is to keep computers from accessing updates to the operating system, he said.
The Conficker Working Group is a coalition of technology companies, public groups and law enforcement led by Microsoft – which has placed a US$250,000 bounty on the creators of the worm – brought together to battle the worm. With malware exploit following malware exploit for the foreseeable future, should the industry make such ad hoc arrangements permanent?
“There’s certainly something to that,” Marcus said. “We’re certainly better together than we are separately.” Involving tech companies, law enforcement and third parties in the process means “you get lots of brilliant minds working together.”
“Malware won’t go away. It’s about money. Just like car theft won’t go away, just like bank robberies won’t go away … there’s money on the other side of that vault.”