got this via email. What Will Conficker Bring on April 1 ? Posted on PCMag.com 03.26.09
The latest variant of the worm, Conficker.C, is programmed to do something on April 1. But what exactly will happen? The scary thing is, no one can say for sure.
The "A" and especially "B" variants of this worm (also known as Downadup) have built a botnet estimated at several million PCs, almost exclusively through exploitation of the MS08-067 vulnerability in Windows. Conficker added some innovative techniques to update itself though a large number of domains, the names of which were algorithmically generated by the program. Because the names were deterministic, it was possible for the DNS authorities (VeriSign, et al) to block the names. With few exceptions, the worm has been unable to spread since that point several weeks ago.
Then the C variant came along. It adds a number of defensive measures designed to protect itself from detection and removal and it ratchets up the number of domains it can check for updates. As this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day." Thus "C" should generate less traffic than the earlier versions, especially in as much as it filters the IP addresses for these domains to make them work better and avoid detection.
Avoiding detection is a major theme with Conficker.C. It's not the first malware to try to defend itself in-memory against security software and diagnostic tools, but "C" does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center. Make sure that the update mechanisms for Windows and your anti-malware are actually occurring because Conficker can turn them off.
But the big news with "C" is that the code is scheduled to come alive on April 1 and start contacting the 50,000 domains and download something. What will they download? What will it make the bots do? Honestly, nobody knows. This is the great mystery.
It is possible for "C" to spread in part because there is a direct push mechanism in "B," allowing an outside system to contact it and provide a domain name from which it should download an update, presumably "C".
Conficker is really sophisticated as malware goes. It's clear that its authors are smart people and perhaps that's what's got security people worried. But the only rational way to approach this is to do the things you know you need to do anyway and then not get hung up on it. Remember, [COLOR=#c00000]there's a very good chance that on April 1 nothing much will happen.[/COLOR]
Last edited by govigov : 31st March 2009 at 23:11.
Reason: removed HTML tags
|