Why you should care about the Conficker worm
Published: 27 Mar 2009 14:55 GMT
There has been a lot of hype about the fact that the latest variant of the Conficker worm is set to start communicating with other computers on the internet on 1 April, like an April Fool's Day time bomb with some mysterious payload.
But security researchers say the reality is probably going to be more like what happened when the clocks on the world's computers turned to 1 January, 2000, after lots of dire predictions about the so-called Millennium Bug. That is, not much at all.
"It doesn't mean we're going to see some large cyber-event on 1 April," Dean Turner, director of the global intelligence network at Symantec Security Response, said on Wednesday.
It is likely that the people behind Conficker are interested in using the botnet, which is comprised of all the infected computers, to make money by distributing spam or other malware, experts speculate. To do so, they would need the computers and networks to stay in operation.
"Most of these criminals, even though they haven't done something with this botnet yet, are profit-driven," said Paul Ferguson, an advanced-threats researcher for Trend Micro. "They don't want to bring down the infrastructure. That would not allow them to continue carrying out their scams."
To help clear up some of the confusion about Conficker, here are answers to common questions people may have.
What is Conficker and how does it work?
Conficker is a worm, also known as Downadup or Kido, that cropped up in November. It exploits a vulnerability in Windows that Microsoft patched in October.
Conficker.B, detected in February, added the ability to spread through network shares and via removable storage devices, such as USB drives, through the AutoRun function in Windows.
Conficker.C, which surfaced earlier in March, shuts down security services, blocks computers from connecting to security websites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer networking and includes a list of 50,000 different domains, of which 500 will be contacted by the infected computer on 1 April to receive updated copies or other malware or instructions. Previous Conficker variants were written to connect to 250 domains a day.
Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on 13 March. But a Southwest spokesman said the worm had had no impact on the site.
Where did Conficker come from?
Some pieces of the Conficker code and methodologies it uses are similar to those used in previous botnet worms created by the underground operation known as the Russian Business Network and cohorts in the Ukraine, Ferguson noted. But while there is speculation, researchers don't know for sure who is involved, he said.
"There is some evidence to indicate that this might at one point have been tied to distribution of misleading apps and rogue affiliate networks," said Symantec's Turner.
How is it different from other internet worms?
Conficker has grown increasingly sophisticated with each iteration, with features designed to increase its longevity, most likely in response to researchers' attempts to block it. After researchers began preregistering domains targeted in the code, the Conficker.C authors upped the ante...
Previous
Did you find this article useful?
33 out of 37 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
