News

April 1: D-Day for the Conficker Worm

The Conficker frenzy continues as IT security pros prepare for April 1, when the worm is expected to take some action from infected systems.

• By Jabulani Leffall
• March 30, 2009

And the date is no joke. Security pros have been warning organizations to have their Windows systems properly patched before April 1, or April Fools' Day.

Conficker, also known as W32.Downadup, is a self-replicating malware program designed to pull data from infected Windows-based machines. On April 1, botnets replicated by the worm are expected to contact Web servers owned by the worm's authors.

The worm takes a number of actions against Windows-based clients and servers. It disables the Windows security center and automatic updates. In addition, the new Conficker D strain reportedly prevents booting into safe mode, deletes system restore points and disables third-party security software.

News of the worm's impending action has lit up the blogosphere, and it was even covered by the 60 Minutes TV news program.

"Hysteria is a good description of the situation," said Phil Lieberman, president of Lieberman Software. "The Conficker April first date is more like a feeding frenzy for the anti-virus vendors akin to Black Friday for retailers or the week before Super Bowl Sunday for electronics retailers selling big screen TVs. And the funny thing is that the Conficker virus cuts through the antivirus products like they don't even exist."

The IT community should not focus on "end of the world theories at the moment," said Roger Halbheer, Microsoft's chief security advisor for Europe, the Middle East and Africa in a blog post. However, they should take measures to protect machines from infection.

April 1 could be a nonevent, like the Y2K scare, or it could be the biggest worm replication in the history of computing.

"This is the honest truth -- nobody knows what's going to happen except the bad guys," said Dan Kaminsky, director of penetration testing at security firm IOActive Inc. "We have no idea what the Conficker people want. We know they're good; we know they're adapting. We're not dealing with randomness. We shouldn't panic but we should be figuring out what's going on and act accordingly; get IT staffs better tools."

While what happens on April 1 is unclear, the general consensus seems to be that the worm might try to update itself, according to security software firm Symantec.

"It has been determined that on April 1, W32.Downadup.C, the most recent variant of the [Conficker] malware, will begin to use a new algorithm to determine what domains to contact," an e-mail from Symantec explained. "No other actions have been identified to take place on April 1."

Microsoft is telling Enterprise IT administrators that if they previously delayed installing the Conficker patch issued in October, and if their systems are not infected, then they should patch their Windows operating systems immediately.

Chenxi Wang, security and risk management analyst at Forrester Research, said that enterprise IT pros should both patch and remain vigilant as Conficker.C differs from the original virus. The C version includes new infection methods using peer-to-peer networking to disable even the most effective security tools.

"If you have not done so already, you should apply Microsoft Security MS08-067 patch on every Windows system as soon as possible," Wang warned. "If you do not install the patch before April 1, researchers claim that the virus, once [it] infects your system, will prevent the patch from being installed afterwards. You will have to manually remove the virus and then apply the patch. This can be a labor-intensive and also risky approach."

Group efforts to battle the worm have made some progress. One such effort is a consortium called the Honeynet Project, which just released an enterprise-class Conficker scanner that detects the presence of the worm. The scanner can be downloaded here.

Kaminsky collaborated with his peers on the Honeynet Project. Such collaboration doesn't happen every day, but Kaminsky noted that that it has been five years since this type of remote code execution malware has been so widespread.

"So my thinking is that if we can't get more information about what's going to happen, let's make it less expensive and less vulnerable to detect infections on networks," Kaminsky said. "To that end what we did with this working group of companies is unheard of, but it's called for."