Conficker botnet remains dormant - for now
All quiet on the malware front
Agentless Backup is Not a Myth
Conficker changed the way parts of the botnet communicated overnight, but little else of note has happened so far.
The malware is far from an April Fool's joke, but it's obviously a long way from the Skynet botnet, as depicted in Terminator 3, that some of the more fevered imaginings of the media hinted at. The main activity that accompanied the run-up to the activation date was the registration of dozens of new domain names designed to advertise rogue security packages in the guise of Conficker clean-up tools.
As widely predicted by security vendors beforehand, Conficker and its 1 April activation was more about hype rather than havoc. As F-Secure notes, worms with triggers have consistently failed to do anything on that date. Previous damp squibs include the Michelangelo virus (1992), CIH (1999), SoBig (2003), and MyDoom (2004).
Nonetheless, Conficker remains implanted on many computers, anywhere between 1-4 million, according to the latest estimates.
Conficker first began spreading in November, using a variety of techniques including the exploitation of a well-known Windows vulnerability. Once it secured a foothold on infected networks the worm is capable of spreading across network shares by exploiting weak password security. The malware is also capable of spreading using infected USB drives.
Early versions of Conficker called home to 250 different domain names every day to see if updates were available. From Wednesday, machines infected by the latest version of Conficker began to poll a sample of 500 out of 50,000 domains a day, making attempts to interfere with the update process more difficult. Most compromised machines are thought to be infected by the earlier B variant, whose behaviour has not changed.
Still earlier versions of the worm include peer-to-peer functionality, so that infected computers can communicate between themselves without the need for a server. This functionality might be used to pass around software updates or initiates malicious activity without the need for update servers. And the new call home routine of the latest variant of the worm is due to take place from now on, so that "sleeper" botnet could be unleashed at any future date.
The botnet is yet to be used for sending spam or running denial of service attacks but even the simple act of spreading has caused major disruption. Confirmed victims include the UK's Ministry of Defence, which reported that that the worm had spread across some of its offices, as well as desktops aboard various Royal Navy warships, the UK's parliament, a Sheffield hospital, the judicial systems in the city of Houston and the Bundeswehr (German Army).
F-Secure informative FAQ on Conficker can be found here, and SRI International's detailed technical analysis is here. A full list of resources, drawn up by the SANS Institute can be found here. ®
COMMENTS
Autorun disabled really?
Did you check that it's disabled for network shares, too? That's the tricky part.
@ Pierre
"And, more importantly, even if you DO manage to disable autorun -not a trivial task-, there's no telling *when* it will automatically switch back on (note the *when*, not *if*. Because it *will* turn itself back on)."
That's funny. I've had my system since 2004, and since I disabled autorun during my initial software install, it has never turned itself back on. Five years, and it's never turned itself back on. So tell me, when should I expect to see it happen?
Also, this shouldn't need to be pointed out, but obviously it does -- if you have a piece of malware installed on a drive and it's activated through autorun, then you were in trouble before you were infected. Allowing people to write to your drive and indiscriminately popping CDs and flash drives into your system are actions that you control. As such, you are the one responsible if you become infected through such methods.
Now, I will wholehearted agree that Microsoft is partially to blame if you became infected through a fileshare because of their inconceivable and inexcusable decision to have a blank password for the Administrator account, and then not give you access to the Administrator account (unless you use Safe Mode, or unless you know that hitting CTRL-ALT-DEL twice will bring up the normal type-in-your-username login box). Having said that, you still should have known enough to not use blank, default, or easy to guess passwords.
Re: Re: Just give them time
"a patch was released for this one LAST OCTOBER. The reason there are so many infected systems is because people don't install updates when they should."
Not so. ONE of the primary infection pathways was patched a while ago. The worm now spreads mainly through autorun, in the most "legit" manner. And MS admitted that there is no easy way to disable autorun (no, the "disable autorun" button won't do what it says on the can). And, more importantly, even if you DO manage to disable autorun -not a trivial task-, there's no telling *when* it will automatically switch back on (note the *when*, not *if*. Because it *will* turn itself back on).
So yes, MS is at fault, indeed.
"Get a grip, and stop being a total idiot."
Erm, I couldn't have put it better. Not with the same target though.
IT infrastructure monitoring strategies
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
Data control in the cloud
Cloud based data management
Agentless Backup is Not a Myth
