Conficker Lingers, Say Experts

by Abhinna Shreshtha    Apr 03, 2009

It is premature to dismiss the Conficker virus as a threat warn experts, as millions of computers still remain infected worldwide.

On April 1, the Conficker virus was supposed to get a new update, something that had put PC users and security experts in a frenzy as speculations kept flying about what the virus, which has infected 15 million computers worldwide, would do next. However, the day passed without the worm showing any activity.

Security experts, though, warn that the virus is still a threat. Carl Leonard, threat research manager of Websense Security Labs said, "There has been some follow-on attacks within search engines that are utilizing the NEWS, but this is nothing new. Conficker should still be considered a serious threat however. There are millions of machines that are infected and the capability is definitely there for attackers to utilize the network for nefarious purposes."

"Conficker is a large botnet that has a lot of potential to do harm. It hasn’t happened just yet, and most security vendors, including Websense, predicted it wouldn’t necessarily happen on April 1. However, the bot gives its perpetrators a lot of power, and at some point, Conficker may do something "bad" on infected machines like, stealing data, sending spam, issuing DDOS attacks, etc.," he said.

Among the top possibilities is that the creators of the virus may be working on a more sophisticated ‘.D’ variant that could be even more difficult to track or remove.

Leonard speculates that in case this happens, the new variant could include abilities like:

* More domains created per day and could have different domains generated per machine

* Could include large samples of good domain names to spoof researchers

* Could have some PKI built in to thwart reversing and may use updates to grab new keys

* Could use new methods to spread via MS08-067 with some P2P attributes

Another thing for security heads to be aware of is that some malware writers are making use of the fear and hype surrounding Conficker to spread fake anti-Conficker tools. Top search engine results for typical Conficker removal keywords have been poisoned to link to potentially malicious/junk websites, again in an attempt to direct users away from legitimate websites.

Some symptoms of a Conficker infection are:

* Account lockout policies being tripped.

* Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and error reporting services are disabled.

* Domain controllers respond slowly to client requests.

* The network is congested.

* Various security-related Web sites cannot be accessed.

Related links:



Conficker Author Absconding, as D-Day Nears


PandaLabs: Conficker Worm a Global Menace


Malware Affecting Corporate Networks