News

No Serious Threat from Conficker on April 1

Conficker is scheduled to update itself April 1. But analysts say the appears to be an upgrade of its defenses rather than a planned attack.

The most recent variant of the Conficker worm, also known as W32.Downadup.C, is scheduled to update itself April 1. But analysts who have examined the code say it appears to be an upgrade of its defenses rather than an attack by a widespread botnet compromised by the worm.

"There is no reason to believe that April 1 will be any different from any other day," said Kevin Haley, director of Symantec Security Response.

The worm uses an algorithm to generate a pseudo-random list of domains for its command-and-control network, which its infected clients check daily for instructions. Symantec analysts believe that on April 1 the malware will begin using a new algorithm to determine what domains it will contact.

"It now generates 500 domains every day," Haley said. "It's going to do 50,000" with the new algorithm. Because a command-and-control server is a weak spot whose elimination can disable a botnet, the update could make Downadup more difficult to attack. But it does not mean the worm is more likely to attack others.

"This certainly is an issue of concern, but the probability of a major cyber event taking place on April 1 is really not very likely," said Vincent Weafer, vice president of Symantec Security Response. "In reality, the author or authors of Downadup probably didn't intend for this malware to get as much attention as it has."

The current economic model for criminal hacking calls for a low and slow approach that does not draw attention to activities. Although estimates of Downadup infections range as high as 10 million devices, the current size of the network of available computers is probably a couple million, and so far they do not appear to have been put to work as a botnet.

"It's a good-sized network," Haley said. But "we may never see a big bang" from it.

The worm's success and the interest it has generated stem from the combination of tools it uses to spread and protect itself, although none of the tools is unique.

"This is the most technically interesting worm we've seen because of the way it spreads, as well as the communication mechanism, its encryption types and the methods it uses to contact its command-and-control servers," said Andrew Storms, director of security operations at nCircle, a network security automation company.

"It's good at what it does, and it looks like there is some thought and organization behind it," Haley said.

The original W32.Downadup.A exploited only the MS08-067 vulnerability in Microsoft Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 operating systems, for which Microsoft issued a patch outside its regular monthly patching cycle. The more recent B variant added password guessing and the ability to copy itself to USB drives, giving it a wider dissemination throughout a network once it is inside. The authors of the malware appear to be trying to gather networks' low-hanging fruit.

Its high visibility has made Downadup risky for those who plan to use it.

"This is eerily reminiscent of the major worms of five years or more ago," said Chris Schwartzbauer, senior vice president of worldwide sales and marketing at Shavlik Technologies. The high visibility of worms such as Sasser, Blaster and Code Red prompted networks to protect themselves.

Although the latest Downadup variant could have a more secure communication method, the worm already has the ability to communicate peer-to-peer, and there would be no reason to think it is waiting for April 1 for a major command, Haley said.

The advice of most experts is to stay patched and stay calm. Tools are available to detect and remove the worm, and organizations with up-to-date patches should be safe.

"Most enterprises already are using a patch management process and following industry best practices," Storms said. "They are likely already patched and protected from a Conficker infection."

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.