posted by Jordan Spencer Cunningham on Tue 31st Mar 2009 06:30 UTC
IconMany have gotten antsy the past months about the Conficker worm, and all with good reason. Though the worm hasn't done much of anything (yet) except spread like the plague, it's infectious if one doesn't have his or her Windows operating system up-to-date with the most recent security updates. The worm is supposed to execute on April 1st, and the computer world is holding its breath to see if a disaster comparable to the hyped-up supposed Y2K doomsday will ensue or if it's just someone's idea of a sick April Fool's Day joke.

Infections

An estimated twelve million computers worldwide have been infected, mostly outside of the United States where there are more illegal versions of Windows floating about, most of them unable to receive the needed security updates from Microsoft due to their pirated nature. Though security firms have been vigilant in creating methods for prevention and removal, and Microsoft itself has issued alerts and removal instructions, the virus has still maliciously infected many millions of computers worldwide, and it's likely that most people don't even know that their computers have been compromised. Another win for the Macintosh and Linux crowds, Windows is the only vulnerable system. However, remember that just because a system can't be infected doesn't mean that it can't help pass a virus along.

Theories

The Conficker worm's purpose is still widely unknown as are its creators, but due to several of its characteristics and to previous worm exploits of similar nature, experts have several theories as to what will happen on April 1st when the worm "detonates," in a manner of speaking.

What is known is that once the virus is triggered on April 1st, it will try to connect to 50,000 domains, 500 each day, to download additional files and instructions. The virus already has indications of a peer-to-peer infrastructure, so one need only use his or her imagination of what may happen.

It is possible that the whole thing is an April Fool's Day joke that will leave everyone just a little more irritable and more protective of their systems, none of whom will be laughing. We've seen mighty hoaxes in the past such as the Y2K Bug or even Google's TiSP.

Optimism aside, since the peer-to-peer technology is already set into place, the worm has a much more malicious purpose. Officials are pretty sure that the intent isn't lighthearted, either:

Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.

-Phillip Porras, research director at SRI International

It’s worth noting that these are folks who are taking this seriously and not making many mistakes. They're going for broke.

-Jose Nazario, researcher at Arbor Networks

According to a study of the Conficker worm done by SRI International, it contains code that enables "infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes."

It could very well possibly be that it will be used to hijack innocent computers to "rent" to shady industries, particularly that of spamming and the further spreading of other malware. It's also been suggested that Conficker could be used to create a darker and unwilling version of something akin to Freenet.

The most horrifying scheme of all is that it may be used to create what researchers call a "Dark Google," a network of infected computers searchable for information at the whim of the criminal underground as a whole with the authors of the Conficker worm selling the answers to criminal queries put into the system. A thoroughly terrifying idea, to be sure, but only to those infected.

In order to stomp out the infection, many security officials have been strenuously working on prevention and removal, and Microsoft has even offered a $250,000 bounty for information leading to the arrest and conviction of the author(s) of the virus.

Symptoms and Prevention

Infected systems can be spotted by several ways, or may not be spotted at all unless equipped with an antivirus program. Users may notice their account lockout policies are being reset; automatic updates, Background Intelligent Transfer Service, Windows Defender, and Error Reporting Services are disabled; domain controllers respond slowly to client requests; the local network seems slow and congested; and websites related to computer security are blocked.

Anyone who has been receiving Microsoft's automatic updates is safe from the initial spreading of the virus, and antivirus software can take care of other infections from other sources (as described in the below section). However, if successfully infected and undetected, the worm can disable antivirus software as well as automatic updates. Users must be sure to have strong passwords on their network shares to prevent the virus from spreading to their computers from a network. Users should also be wary of the AutoPlay function.

Strains and Spreading

There are apparently four strains of the virus out there already, and the fourth, Conficker.D, will be downloaded and updated to the previous strains and then have its executions triggered on April 1st. The virus is able to spread through a vulnerability that was previously patched in Windows, so those who have successfully performed an automatic update since the patch's inception should be safe from this form of spreading. In the .B and .C variant, the virus also infects machines through network shares breaking through poor passwords, mapped network drives, and removable drives (usually spread through USB drives). The worm uses a scheduled task to initiate the virus on remote machines or via an AutoPlay entry added by the worm. Conficker also connects daily to various generated domains to receive any updates in order to counteract efforts to thwart it. Read more about the different strains in detail here.

Roast Them Alive

Don't take this wrong when I say this, but I'm one to admire the genius it takes to initiate such a scare. However, I am of the opinion that the creators of the Conficker worm ought to be roasted alive and fed, while barely being sustained in consciousness by various medical methods, to insects such as the ants seen on Indiana Jones' newest escapade. It always irks me when people take advantage of the great and marvelous computer technology that we have today to turn it into something so criminal, dark, and terrible that users have to live in fear of their computers being compromised. We will see all too soon whether this rampant virus is truly a curse to the extreme or simply a joke gone foul.

e p (1)    68 Comment(s)

Technology White Papers

See More