Is the recent Conficker hype justified?

by Steve Ragan - Mar 27 2009, 18:18

Will there be a massive attack launched online? Should you panic considering that April 1 activation deadline looms? According to experts, not at all, as no one is completely sure what to expect. The one thing experts agree on is that no one with current anti-Virus protections has much to fear from the pending update cycle. Perhaps, considering the hype, the joke is on us.

The latest news on Conficker centers on the April 1 activation of code discovered in the latest variant of the Worm. Symantec reported when they discovered variant C of Conficker (Downadup) that it contained new code that seriously increased the scope of its update mechanism.

The new variant of Conficker has an updated domain generation algorithm. Earlier variants would generate 250 domains, which infected systems would attempt to connect to in order to receive updates and instructions. Researchers cracked the domain generation and started registering and blocking the domains before they could be used, limiting the scope of infection method.

However, some domains generated by Conficker turned out to be legit, causing some concern because of an elevated attack vector. Symantec reported that the 250 domain limit is gone, replaced by a 50,000-a-day generation algorithm, using one of over one-hundred possible domain suffixes, such as com, net, org, tv, info, ws, etc.

“These early findings may suggest that the Downadup authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines. Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation,” Symantec said at the time.

Later the same week, security vendor CA reported that the new variant of Conficker was programmed to launch the new domain generation on April 1.

“This Worm, detected as Win32/Conficker.C, is getting ready for April Fool’s Day on 1 April, although it definitely won’t be fooling around. On that day, Conficker.C will commence its attempt to generate 50,000 URLs daily and try to access (download or report back to) 500 of them. It is a clever strategy, but the security industry is certainly on the lookout,” CA said at the time.

Version C also targets researchers and security measures. According to Symantec’s report, if the Worm detects processes on an infected system that contain security testing and analysis or anti-Virus related strings, it kills them. Wireshark, Unlocker, TCPview, filemon, ms08-06, kb958, kb890, confick, hotfix, and downad are all strings that are killed-off by the Worm.

However, it is important to remember some basic logic before you panic over April 1, and what actions Conficker might or might not take.

Conficker is a nasty piece of Malware, explains Randy Abrams, ESET’s Director of Technical Education. “In addition to disabling the Windows security center and automatic updates, it is reported to prevent booting into safe mode and to delete system restore points. It has a few other nasty tricks up its sleeve too, like disabling lots of other security software,” he wrote recently in a company blog post.

“Before you hyperventilate over this one though, remember, there are thousands of other threats out there as well. If you are taking the right steps to keep your computer secure, then Conficker.C will be no riskier to you than the other threats you have not been getting infected with.”

Moreover, as the panic starts to spread, it is also important to note that version C of Conficker is not the common variant that has infected millions of systems world wide.

That would be version B, which is just as serious, but this is also the version researchers have been spending countless hours watching and studying. Thanks to their research, and cooperation on a massive scale, Conficker might just be the most widely researched Worm in the last decade or so.

Researchers were able to decode the Worm and predict what domains were going to be listed as potential update point and communications centers. Armed with this information, they teamed up and started blocking domains before they were registered. What this did was limit the infection and update vectors used by the authors of the Worm. While it did not stop infection completely, it did slow it to a point, and for an industry that is mostly reactive, the proactive stance should be noted as a serious positive.

Not only did the researchers team up to fight the Worm, the placed a bounty on the heads of the authors. The bounty, $250,000 USD, is the result of Microsoft not being prepared to “sit back and let this kind of activity go unchecked.”

As April 1 approaches, relax. Panic never solves anything. Using some basic precautions and layered security will defend you. In his post, Abrams hits this point home with the following advice.

“If you don’t have anti-Virus, and no, Windows Defender is not anti-Virus, then get some. We have a fine product here at ESET, but if you want to go the free route, just make sure that the product you choose is tested by Virus Bulletin. For paid programs, they should either be tested by Virus Bulletin or certified by ICSA Labs or have West Coast Labs Checkmark certification.”

Purchasing or installing one of the security applications tested by the companies Abrams mentions will also prevent infection from Rogue AV products that are taking advantage of the Conficker fear.

Conficker: The Tech Herald’s index of news and information

Around the Web