Conficker Computer Worm, Horrible or Hype? April Fool’s Day Trouble?

The extremely quick moving Conficker computer worm, is set to come to life again on Wednesday.

Wednesday, April Fools day, is when many of the previously affected computers will activate and come alive.  They will start phoning home to the creators where they in turn will be able to activate a program to spam, send, and spread more infections… possibly even bring down websites.

Now how much trouble could this actually cause?  Unmeasurable!  Now the question is will it?  Will it cause massive network outages, lag time, down time, and attacks on millions of computers?  Most likely not.  Researchers who have been studying and tracking Conficker say the day will probably come and go quietly.

Yahoo News quotes, “I don’t think there will be a cataclysmic network event,” said Richard Wang, manager of the U.S. research division of security firm Sophos PLC. “It doesn’t make sense for the guys behind Conficker to cause a major network problem, because if they’re breaking parts of the Internet they can’t make any money.”

Conficker is not believed to be like the old internet worms like the one in 2003 known as Slammer which saturated the data pipelines with so much traffic it completely shut down corporate and government systems.

Current Internet threats are designed to bring in money.  The many Conficker-infected machines,  could potentially be one of the greatest cybercrime tools ever designed,  the only problem is Conflickers authors have not found the optimum way to communicate with it.

PCs that have the Conficker virus need commands to activate. They get those commands by reaching out to websites that are controlled by Conficker authors. Now any website could potentially be used, just by hacking into it and gaining control.

Yahoo News says, “So far, Conficker-infected machines have been trying to connect each day to 250 Internet domains — the spots on the Internet where Web sites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet. (The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.)”

Now Conficker has in a way shot itself in the foot. Its quick spread across the Internet drew attention and computer security companies were put on notice. They have been able to work with domain name registrars, which administer Web site addresses, to block the infected machines from dialing.

On April 1, many Conficker-infected machines will generate a huge list of up to 50,000 new domains a day that they could try. Of that group, the host worm will select 500 for the machines to actually dial.  The authors will still need to get one of those up and running to connect to their host worm.

Experts already know which domains the infected machines will dial, but registering them all before hand, or persuading the registrars to neutralize all of them, is much harder.

“We expect something will happen, but we don’t quite know what it will look like,” said Jose Nazario, manager of security research for Arbor Networks, a member of the “Conficker Cabal,” an alliance trying to hunt down the worm’s authors.

“With every move that they make, there’s the potential to identify who they are, where they’re located and what we can do about them,” he added. “The real challenge right now is doing all that work around the world. That’s not a technical challenge, but it is a logistical challenge.”

Conficker’s authors have updated the worm so computers that are infected have new ways to talk to each other. They can share commands rather than having to dial hacked Web sites for instructions.

How do we stop Conficker as computer owners?  First of all you need to be current on your Internet security updates.

Conficker exploits a vulnerability in Windows that was fixed in an update October 2008. Many people do not run their current updates and even others have illegal copies of Windows that does not support updates.
What makes Conficker different?  You do not have to download Conficker.  It finds vulnerable PCs on its own and does not need human involvement.

Once inside, the worm tries to crack administrators’ passwords, disable security software, and block access to antivirus Web sites.

What are your options if you have Conflicker?  So far the only advice I have seen is to reinstall your operating system.

Is the Conficker scare of 2009 horrible or hype?  Well I guess that depends on if the people tracking Conficker and trying to stop it are as smart as the people who created it.  To the creators of Conficker, take pity on me and let me skate by…. please.

Kimberly Veautour

Acknowledgements:  Yahoo News