Conficker Author Absconding, as D-Day Nears

by Abhinna Shreshtha & Muntazir Abbas    Mar 30, 2009

As April 1, or April Fool’s Day approaches, security experts and PC users worldwide are waiting to see what the Conficker worm’s next move will be.

The Conficker worm and its variants have infected nearly 15 million PCs globally till date. The worm is programmed to update itself from domains it randomly generates. For the latest version — Conficker C, this amounts to nearly 50,000 domains a day. The virus author needs to only use one of these domains to host the update, thus making tracking nearly impossible.  

Meanwhile, the Microsoft’s $250,000 bounty to trace the author/s of the Conficker worm has not yielded any result so far.

Talking exclusively to CXOtoday, Amit Nath, country manager (India & SAARC) at Trend Micro said Conficker takes advantage of a vulnerability discovered in the server service used by certain Microsoft operating systems that could allow remote code execution. "It has infected millions of computers, making it one of the most widespread infections in recent times."

So what could happen on April 1? According to Nath, a new variant could be launched, though there is a lot of speculation on what it may or may not do on April 1. He advises PC users to ensure their computers have the latest security patches and updated security software.

The problem is that no one is sure what exactly will happen on the April Fools Day. That the Conficker worm will do something is known, but what exactly will happen is still based on conjecture. A possibility is that an advanced form of Conficker worm may strike around the same day. This could disable security updates that do not allow early detection and consequent removal.

The Conficker worm first surfaced in October 2008. In January infections had crossed nine million PCs globally. Currently, the worm is found in three variants dubbed -A, B, and C.

The worm typically disables system services such as Windows defender, automatic update, security center, and error reporting. It also allows installation of additional malware on the infected PCs. Further, if your OC is infected, it could block all sites that provide access to anti-virus tools.

"It may be downloaded unknowingly by a user when visiting malicious websites. Once installed in the system, it drops a copy set to allow restricted access with ‘file_execute’ for users. This worm can terminate processes that contain certain strings, running in memory that relates to antivirus programs," said Nath. Due to this process, it avoids early detection and consequent removal.

In a posting on the official blog of Internet security firm - PandaLabs, Luis Corron said the Conficker attack is not really more dangerous than other malware. However, it’s update functionality leaves a door open to new attacks that could be more dangerous.

He further wrote that, come April 1, the Conficker author could do one of the following:

a) Create a new variant which exploits other zero day vulnerabilities.

b) Keep alive the three variants which are distributing and monitor how much money they are making day by day, to the end.

On February 12, 2009, Microsoft announced the formation of a collaboration - called Conficker Cabal, to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.

Further information regarding how to protect one from it and about removal can be found at the following Conficker Cabal site

We outline five steps that users need to follow to prevent
themselves from getting infected.

 

* Buy a genuine copy of Microsoft Windows so that you get
access to automatic updates from the Microsoft website. A point worth noting
here is that Microsoft had already issued a patch (MS08-067) to fix the
vulnerability before the virus was created. This clearly shows that ignorant
users are clearly at fault as well for getting infected by this worm.

 

* Configure your systems to check for updates automatically.
Download and apply the updates and patches immediately after they are released.
It is fruitless if you just download an update and do not apply it.

 

* Although CXOToday does not endorse piracy but the fact is
that there are lots of Users who run a Pirated version of Windows. For them,
they should manually download the updates from Microsoft’s website. They are at
a greater risk as they have to keep an eye on what vulnerabilities and patches
are available and when they are launched in order to keep their system up-to-date.

 

* If possible, consider alternative operating systems like
Linux which are relatively.

 

* Invest in a good antivirus software. This will not only
prevent such worms from infecting your computers but they will prevent other
malware from infecting your computers as well. Note: An antivirus is only as effective as its virus signature
database. There is NO point in keeping an antivirus and NOT updating its virus
definitions. This is the most common mistake that users make.


Related links:

 

PandaLabs: Conficker Worm a Global Menace
Malware Affecting Corporate Networks