Conficker's next move a mystery to researchers
'Impossible to know' what massive botnet will do April 1, researchers say
Computerworld - Security researchers are in the dark about what will happen next week when the newest variant of Conficker, 2009's biggest worm by a mile, begins trying to contact its controllers.
"It's impossible to know until we see something that has a clear profit motive," said Joe Stewart, director of malware research at SecureWorks Inc. and a noted botnet researcher.
PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.
That tactic is just one of several designed to make it tough for security researchers to figure out what Conficker's all about, and more importantly, what it might do. "We had to trick it into thinking it's not only getting back the right page, but that it's getting the April 1 date," said Stewart, talking about the machines SecureWorks purposefully infected with Conficker.c.
"So far, we haven't seen any evidence [on those machines] of what it will do April 1," added Stewart, although that's to be expected. "It's not April 1 yet, so they're not going to put something online, where it might be found. In fact, it's almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network."
Symantec Corp.'s Vincent Weafer, vice president of the company's security response group, agreed with Stewart that it's impossible to know ahead of time what stunt Conficker's controllers will pull next week. "Nobody has any real idea," said Weafer. "There's no indication of what it will do April 1."
Weafer characterized the Conficker.c update as one to "armor and harden the existing infections," and noted that the variant, unlike its predecessors, cannot spread to other PCs. "This variant is very defensive-oriented," said Weafer, "to make it less visible and more resilient."
Like Weafer, Stewart sees Conficker.c as a move by the worm's maker or makers to consolidate what's already infected. "The big question is what's the end game?" he said. "Is it just as big as they want it to get?"
He also noted Conficker.c's tilt toward the sophisticated, seconding Weafer's opinion that the worm's makers are trying to stump both researchers and antivirus software.
"This is a very curious thing," Stewart said. "[The hackers] are more patient and more methodical than most. They're raising the bar, by a lot, in terms of what we have to do to figure out what it does, to block it, to clean it.
"It's not your typical type of e-crime," he said.
Conficker, which is also called Downadup by some security companies, first appeared late last year, and originally exploited a Windows vulnerability that Microsoft Corp. patched in an October 2008 emergency update. In early 2009, the next version -- Conficker.b -- infected millions of PCs in just a few days.
- Conficker's makers lose big, expert says
- Conficker activation passes quietly, but threat isn't over
- FAQ: Just the facts on Conficker
- Security managers concerned but confident about Conficker on eve of expected attack
- IBM: Conficker.c infects small number in U.S.
- Security software scammers riding on Conficker's coattails
- Researchers exploit Conficker flaw to find infected PCs
- Conficker's next move a mystery to researchers
Read more about Security in Computerworld's Security Topic Center.
- 5 Ways Dropbox for Business Keeps Your Data Protected Protecting your data isn't a feature on a checklist, something to be tacked on as an afterthought. Download here to find out how...
- The Keys to Securing Data in a Collaborative Workplace Losing data is costly. IT professionals have spent years learning how to protect their organizations from hackers, but how do you ward off...
- Evaluating File Sync and Share Solutions: 12 Questions to Ask about Security File sync and share can increase productivity, but how do you pick a solution that works for you? Download to learn some important...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!