Final countdown to Conficker 'activation' begins
Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.
Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.
"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain."
Whether anything will actually be offered for download, much less what the payload might be, is unclear. No particular function or payload currently within the malicious code is due to activate on 1 April. It's also possible that a payload will only be offered up for download days or week after the new call-home routine comes into effect.
If updates are successfully made, infected machines are programmed to suspend call-home activity for 72 hours, as an analysis by Sophos explains.
Lessons from the call back routines of previous variants of the worm provide few clues as to what might happen. Sophos said it never observed the previous Conficker-B variant ever downloading malicious payloads, other than updates to Conficker-B++ and Conficker-C. As a result, there isn't much history to draw upon for any speculation as to the eventual goal of the Conficker botnet.
Anti-virus firms are keeping a close eye on what Conficker might do early next month while downplaying concerns that Downadup will either "erupt" or "explode" on 1 April, deluging us with spam or swamping websites with junk traffic in the process.
"Let's not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib," notes Graham Cluley, senior technology consultant, at Sophos.
Although nothing might happen it's never a bad time for sys admins to check for infection by Conficker on their network. Such infections have already caused widespread problems.
Symantec said that the worm, which had initially focused solely on spreading "has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer protocol". An analysis of the worm, complete with a graphic illustrating the evolution of the worm's propagation, control and defensive features, can be found here.
Windows PCs infected with Conficker (Downadup) are programmed to dial home for updates through a list of pseudo-random domains. Microsoft is heading a group, dubbed the anti-cabal alliance, to block unregistered domains on this list. The more complex call-home routine deployed by Conficker-C comes in apparent response to this move.
Rik Ferguson, a security researcher at Trend Micro, added that blocking call-back domains associated with the latest variant of the worm will be "almost impossible" not only because of the daily volume, but also because there is a possibility that legitimate domains might be hit as a result. Even earlier versions of the worm, calling far fewer domains every day, used algorithms that threw up addresses that coincided with legitimate domains.
Teh conficker is coming teh conficker is coming!!!!!1111!!11111!!!!!oneeleven!!111.
Really, seriously people turn down the fucking hype machine and take a deep breath please. Like I said before watch your systems, patch/disinfect/harden as necessary and get on with business. But the constant proclamations of doom at the hands of conficker is really getting out of hand and potentially distracting people from doing what they can to protect their systems. It really is getting a bit like the boy who cried wolf since it seems every time someone discovers so much as a misplaced period in the code of conficker, then that discovery some how deserves a press release touting how the world is going to come to an end at the hands of this worm (this is particularly true of the twits at Sophos).
I wouldn't be surprised next to find a news story saying that conficker will cause you to become sterile, blind, and grow a third arm while simultaneously killing your dog and causing your mom to mate with the nearest gold fish.
@ Tony Hoyle
"I much prefer f-secure's take on the matter"
Yeah, Sophos made it to my personal "absolute no-no" list of security vendor (on which Symantec was beginning to feel a bit lonely) because of their constant bullshit,especially about Conficker.
The problem with all this crying wolf is when something really nasty *does* hit (a virus reaches the point where it can't be stopped and it will do a lot of damage, guaranteed) nobody is going to be listening any more.
I much prefer f-secure's take on the matter: