Will Conficker.C Blow up on us April 1?
Conficker has gotten more than its share of coverage as probably the most important malware in the last year, but this next week will see a whole lot more. The latest variant of the worm, Conficker.C, is programmed to do something on April 1. Exactly what it’s going to do and how big a deal it will be for all of us, nobody can really say for sure.
The A and especially B variants of this worm (also known as Downadup) built a botnet in the several million system range, almost exclusively through exploitation of the MS08-067 vulnerability in Windows. Conficker added some innovative techniques to update itself though a large number of domains, the names of which were algorithmically generated by the program. Because the names were deterministic, it was possible for the DNS authorities (VeriSign, et al) to block the names and, with few exceptions, the worm has been unable to spread since that point several weeks ago.
Then C came along. It adds a number of defensive measures designed to protect itself from detection and removal and it ratchets up the number of domains it can check for updates. As this very large and thorough analysis of Conficker.C from SRI International says, “…Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day.” Thus C should generate less traffic than the earlier versions, especially in as much as it filters the IP addresses for these domains to make them work better and avoid detection.
Avoiding detection is a major theme with Conficker.C. It’s not the first malware to try to defend itself in-memory against security software and diagnostic tools, but C does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center. My impression from talking to anti-malware vendors is that they can still detect it and I’m inclined to believe them; after all, there is just a few variants of Conficker and they’re well-understood.
Some security experts such as Eset are urging you to back up in advance of April 1 and to make sure that your security software is working properly. Of course (and they say this too) these are things you should do in any event. But make sure that the update mechanisms for Windows and your anti-malware are actually occurring because Conficker can turn them off.
But the big news with C is that the code is scheduled to come alive on April 1 and start contacting the 50,000 domains and download something. What will they download? What will it make the bots do? Honestly, nobody knows. This is the great mystery.
Another question you might ask is if the DNS powers that be stopped the propagation mechanism for Conficker A and B, how did C spread? Perhaps it’s not that widespread after all? I asked Richard Wang, Manager SophosLabs, US about this. He stresses that it’s hard to know for sure how much Conficker C is out there because they’re laying low until April 1. Among their customers C is 6% of the Conficker population, but it’s not clear if that’s representative of the world overall. It is possible for C to spread in part because there is a direct push mechanism in B, allowing an outside system to contact it and provide a domain name from which it should download an update, presumably C.
Conficker is really sophisticated as malware goes. It’s clear that its authors are smart people and perhaps that’s what’s got security people worried. But the only rational way to approach this is to do the things you know you need to do anyway and then not get hung up on it. Remember, there’s a very good chance that on April 1 nothing much will happen.
