Tuesday, March 24, 2009

The Conficker C worm coming April 1?

This piece of computer code tells the worm to activate on April 1, 2009 researchers at CA found.
No Joke In April Fool's Day Computer Worm
By John D. Sutter CNN
(CNN) -- A computer-science detective story is playing out on the Internet as security experts try to hunt down a worm called Conficker C and prevent it from damaging millions of computers on April Fool's Day.
This piece of computer code tells the worm to activate on April 1, 2009, researchers at CA found.
The anti-worm researchers have banded together in a group they call the Conficker Cabal.
Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.
They're motivated in part by a $250,000 bounty from Microsoft and also by what seems to be a sort of Dick Tracy ethic.
"We love catching bad guys," said Alvin Estevez, CEO of Enigma Software Group, which is one of many companies trying to crack Conficker. "We're like former hackers who like to catch other hackers. To us, we get almost a feather in our cap to be able to knock out that worm. We slap each other five when we're killing those infections."
The malicious program already is thought to have infected between 5 million and 10 million computers.
Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.
What happens on April Fool's Day is anyone's guess.
The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.
More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.
Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs.
DeBolt said Conficker C imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent the malware from causing damage.
The program's code is also written to evolve over time and its author appears to be making updates to thwart some of the Conficker Cabal's attempts to neuter the worm.
"It is very much a cat and mouse game," DeBolt said.
It's unclear who wrote the program, but members of the Cabal are looking for clues.
First, they know that some recent malware programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software.
Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.
In a way, the Conficker Cabal is also looking for the program author's fingerprints. DeBolt said security researchers are looking through old malware programs to see if their programming styles are similar to that of Conficker C.
The prospects for catching the program's author are not good, Morganelli said.
"Unless they open their mouth, they'll never be found," he said.
So, the most effective counter-assault simply may be damage control.
One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said.
Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."
Users who haven't gotten the latest Windows updates should go to http://safety.live.com/ if they fear they're infected, the company's statement says.
DeBolt said people who use other antivirus software should check to make sure they've received the latest updates, which also could have been disabled by Conficker C.
The first version of Conficker -- strain A -- was released in late 2008.
That version used 250 Web addresses -- generated daily by the system -- as the means of communication between the master computer and its zombies.
The end goal of the first line was to sell computer users fake antivirus software, said Morganelli.
Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.
That process-of-elimination approach isn't likely to be effective with Conficker strain C, Morganelli said. The new version will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said.
The first iteration of Conficker is thought to have grown out of a free function for security programs created by Dr. Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology.
"Any technology can be used for good or evil, and this is just an example of that," Rivest said.
Many viruses have taken pieces of benevolent programs and used them for ill. But overall the "open source" environment online promotes computer security far more than it enables hackers, DeBolt said.
"I don't blame the open-source community at all" for virus attacks, he said.
CA said it recently found a piece of code in Conficker C that says the worm will become active on April 1. Previous versions of the malicious software launched on specific dates noted in the program code, so the April Fool's Day launch date is not likely to be a trick, DeBolt said.
"The best minds in the industry are working on this to protect customers," he said. "We're trying to reduce the impact of the April 1 date as best we can. But we know ... this malware will continue to evolve."


Anonymous Anonymous said...


Good article. Sophos' Conficker removal tool can detect and remove all variants of the worm/virus.

As long as people run these tools it should stop any serious outbreak.


11:22 AM  
Anonymous Philip said...

Is it just me or are many of you guys missing out on the date: April 1. It seems that all these media ruckus is not only uncalled for but is actually very disheartening. I don't think the conficker virus will be able to get out on that date, April 1 is as dangerous as any other date. To be sure, it makes sense to just remove the worm from your computer, and I think that has been taken cared of here. Thanks!

2:15 PM  
Anonymous coffee maker said...

even if someone used Conficker to steal my credit card info, there wouldn't be any credit there for them to exploit or spend

10:06 PM  
Anonymous Anonymous said...

Solution from Search-and-destroy.
If you own a computer, you must have antispyware to keep it running at its best. The problem is choosing a scan that works. I have tried many different types of scans in the past and then I ran across Search-and-destroy Antispyware. I have to say that the antispyware solution from Search-and-destroy is the best that I have used to date. It gets the job done and keeps my computer working like new. If you are interested in seeing for yourself just how good this antispyware works you can click on http://www.Search-and-destroy.com to learn more. I’m sure it would be worth your time to check it out.

3:28 AM  
Anonymous Anonymous said...

Try and protect your computer.
If you are like me then you have probably tired many different types of scans to try and protect your computer. There are many different options available but I have found that most of them pick up the same bugs whether you pay for the scan or download a free version. Search-and-destroy Antispyware (http://www.Search-and-destroy.com) is one of the best that I have found so far and it cost less than many of the other well-known scans on the market today. If you are searching for a good scan I suggest that you check out the antispyware solution from Search-and-destroy.

1:38 AM  

Post a Comment

<< Home