Why you should care about the Conficker worm
Published: 27 Mar 2009 14:55 GMT
...by having the algorithm generate 50,000 possible domains, instead of just 250, throwing a big roadblock into efforts to counter the worm. The creators also are using advanced encryption to obscure the instructions detailing which random 500 of the 50,000 domains will be contacted on 1 April.
It appears the authors may also be intending to create domain collisions by targeting domains that are already in use by legitimate owners, Ferguson said.
"They're creating collateral damage, throwing a monkey wrench into our ability to counter them," he said. "What they're trying to do is make our lives miserable on any efforts to mitigate the threat."
Some of the tactics, including the domain randomisation, inter-node communication, and use of strong encryption, are new, according to Ferguson.
"They are using tactics that are probably the most complex and sophisticated botnet tactics we've seen to date," he said. "This is very professionally architected design and development."
Turner added: "This is the first widespread distribution of a worm since about 2004" — which is when the Sasser worm came out. That worm was believed to have infected as many as 500,000 computers.
What is being done to fight Conficker?
Microsoft has partnered with all the major security companies and domain registrars and registries to form the Conficker Coalition Working Group. The parties are collaborating on research, trying to put the pieces of the puzzle together and figure out who is behind the worm and how to stop it.
They are using techniques such as behavioural analysis of the code and reverse engineering, but researchers do not want to reveal too much information on their efforts. "We have made headway but I'm hesitant to talk about how far we've gotten," Turner said.
Researchers in the US are preregistering domains that are targeted, but experts in Canada are going even further. The Canadian Internet Registration Authority is taking steps to block domains generated in Conficker code that fall in the .ca top-level domain from being used in the botnet, the not-for-profit agency said.
"If other domain registries were able to do the same thing it would go a long way toward helping mitigate some of the ability for the botnet to breathe," Ferguson said.
Conficker has proved to be such a nuisance that Microsoft has even offered a $250,000 (£170,000) reward for information leading to an arrest in the Conficker case.
What can I do?
Computer users should apply the Microsoft patch and update their antivirus and other security software.
Windows users should also apply a Microsoft update for the AutoRun feature in Windows that was released in February. The patch allows people to selectively disable the Autorun functionality for drives on a system or network to provide more security, to ensure it is truly disabled. In addition to putting USB drive users at risk of Conficker and other viruses, the Autorun functionality has been blamed for infections from digital photo frames and other storage types.
Panda also has released a free 'vaccine' tool for blocking viruses that spread through USB drives.
Microsoft has a Conficker removal tool, while more botnet information and removal resources are on the Shadowserver website.
Credit: FAQ: Conficker time bomb ticks, but don't expect boom from CNET News
Previous
Did you find this article useful?
33 out of 37 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
