Conficker: Getting the Last Laugh

Will the Conficker worm, expected to activate on April 1, set off viral destruction or be a dud?

Security experts say Conficker.C (also called Downadup) presents a serious threat. Infected machines -- said to number from 3 million to 10 million globally, depending on estimates -- could be activated for data destruction and theft or espionage, spam relays or denial-of-service (DoS) attacks. While a "doomsday scenario" on April 1 seems unlikely, many security professionals regard Conficker.C as the malware fruit of a disciplined criminal operation out to make money off it.

"We need to take it seriously," says Chris Rodriguez, research analyst for network security at consultancy Frost & Sullivan. "The biggest concern is the effectiveness it's had in spreading."

According to Cisco, Conficker.C has infected about 10 million Windows-based computers in 150 countries, with China estimated at 3 million, Brazil at 1 million and Russia at 800,000. These are the top three Conficker infection spots, with some researchers saying the high counts in these regions are due to pirated Microsoft software that doesn't get patched and lack of antivirus software on machines. In the United States, about 200,000 infected computers are suspected.

Symantec, which says it uses a different method for estimates, puts the total Conficker infection count at more like 3 million globally. However you count, an attacker would find it "easy to point all these machines at one target for a denial-of-service attack, or use them for spam or click fraud or cyber-espionage," Rodriguez says. "I'd be surprised if something didn't happen on April 1."

"I wish I could tell you the issue is overblown but that's not the case," says Pat Peterson, Cisco fellow and chief security researcher.

Conficker.C, now under the microscope in labs, reveals "an insane amount of effort in engineering this," Peterson says.

Because Conficker debuted last fall, it hasn't done much besides concentrate on spreading and blocking access to antimalware vendor sites. But Peterson believes Conficker was designed with the intent of making money for the criminals who created it. So DoS attacks, spam, stealing data -- all of those are actions are the Conficker botnet might be used to do.

But Peterson adds that if Conficker is activated as an aggressive botnet by its masters, there will be some countermeasures from ISPs and others trying to coordinate information and actions, such as severing links to its creators. Peterson's guess is Conficker's creators are likely Russian or Ukrainian.

Peterson says he thinks the April 1 trigger date probably won't be so much about "mass destruction" and "lighting up the Internet" that was seen by some worm ou-breaks of years past, but more about the commencement of new command-and-control capabilities.

Others also suspect something similar.

"The April 1 trigger date it will be heading to look for new updates," says Vincent Weafer, Symantec's vice president of security response. The result may be less of a massive attack than a functional update that will "over time, turn on the payload." And there may end up being another variant of Conficker.

There's certainly skepticism in some quarters that Conficker.C will be looking more like a bad April Fool's Day joke.

"The most recent variant is designed to do something on April 1, which most likely will be to contact one of the 50,000 or so URLs it creates," comments Andy Hayter, antimalware program manager for ICSA Labs, which tests security products. But he adds he doubts Conficker will "take over the world on April 1."

SecureWorks says Conficker would be able to use its own peer-to-peer protocol to allow infected nodes to update each other without the use of a centralized command-and-control-server. No updates would be accepted by Conficker unless they are signed by the Conficker author's private encryption key.

But in spite of these ominous signs, SecureWorks research Joe Stewart says he's skeptical that anything at all will happen April 1.

"My personal opinion is that the April 1 activation of the new algorithm may simply be a distraction, a kind of practical joke on the part of the worm author[s]," Stewart says. He thinks there's been a surfeit of press hype about Conficker.C.

"We don't think it will cause anything visible on April 1 and the reason for that is everyone expects that something will happen on April 1," says Patrik Runald, chief security advisor at antimalware firm F-Secure. "It would be pretty stupid if they did a major change that day. And unfortunately for what we're seen so far, the people behind Conficker are anything but stupid."

Derek Manky, threat researcher at Fortinet, says he for one, would be more concerned about what might happen after April 1. "It's still active," he points out.

Subscribe to the Security Watch Newsletter

Comments