Experts Warn of Second Wave of Conficker Worm Infections

conficker worm may spread again in second wave
Graphic: Diego Aguirre
The spreading Conficker/Downadup worm is now viewed as such a significant threat that it's inspired the formation of a posse to stop it, with Microsoft leading the charge by offering a $250,000 reward to bring the Conficker malware bad guys to justice.

The money will be paid for "information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet," Microsoft said today in a statement, adding it is fostering a partnership with Internet registries and DNS providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Conficker worm once and for all.

(Related: Protect Yourself Against the Conficker Worm)

"By combining our expertise with the broader community, we can expand the boundaries of defense to better protect people worldwide," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group.

Conficker, also called Downadup, is estimated to have infected at least 10 million PCs. It has been slowly but surely spreading since November. Its main trick is to disable anti-malware protection and block access to anti-malware vendors Web sites.

But security experts are concerned about a potentially much worse second stage of the Conficker worm, as it calls home each day to more than 250 command-and-controls servers around the world as it awaits instructions on future downloads or actions.

"The policy we have here is to target the update mechanism," says Gerry Egan, director of product management for security products and response at Symantec, a member of the stop-Conficker coalition.

While the unique domain names for servers used for Conficker control may constantly change on a daily basis, the anti-Conficker coalition anticipates that by the major domain-name registrars working in collaboration, it may be possible to "take out those domains," or otherwise interfere in the smooth flow of the Conficker operations, says Egan.

A Microsoft spokesperson says Conficker is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend. A large percentage of these domains are being blocked from being registered. Secondly, a number of the domains are being redirected toward "sinkhole" servers that are owned by trusted research partners around the world. Sinkhole servers allow researchers to observe the worm's activity, according to Microsoft.

This partnership between Microsoft, security researchers, ICANN and operators within the domain name system has proactively disabled a significant number of domains targeted by Conficker to disrupt the use of the worm and prevent potential attacks, the Microsoft spokesperson says.

Symantec, which is contributing its malware-analysis expertise to the group, believes there are two main versions of Conficker, "Flavor A" and "Flavor B," which appear to have propagated an additional 450,000 and 1.7 million copies of themselves respectively in the last four days alone.

The full set of participants in the anti-Conficker coalition include: ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.

While Conficker/Downadup is believed to have spread more prevalently in Asia than elsewhere, some U.S.-based organizations say they've spotted the worm trying to weave its way into their organizations.

"We've seen it about two times, and we proactively blocked it," says Waqas Akkawi, senior manager of IT security at SIRVA, the relocation-services firm which includes Allied Van Lines. Akkawi thinks the worm showed up from USB drives used by outside sales people coming in to make presentations. Akkawi says the equipment he uses called CounterAct from Forescout detected its attempt to spread , and the SIRVA IT staff quickly snuffed it out from a couple of PCs.

Subscribe to the Security Watch Newsletter

Comments