FAQ: Conficker clock ticks toward April 1 deadline
Hype or one heck of a worm? Q&A takes on 2009's most-publicized threat
Computerworld - When a computer worm reaches the critical mass necessary to make it onto last Sunday's 60 Minutes, you know it's either a once-in-a-blue-moon threat or something that's been hyped beyond belief.
The attention that this worm has received is staggering, especially in the past few days as a deadline -- April 1 of all days -- approaches. Although the technical press has been covering Conficker since its appearance late last year, in large part because it exploited one of Microsoft Corp.'s rare "out-of-cycle" patches, the larger world only seemed to wake up to the worm in the past week.
Cue Lesley Stahl....
So is it, as the 60 Minutes segment called it, "a sleeper cell" or just another worm asleep at the wheel?
We posed some of the pressing questions about Conficker and its looming deadline, and answered them. More will undoubtedly follow as the saga continues.
I've been living in a cave since Jan. 1. What's Conficker? Also called Downadup, Conficker is the biggest worm in years as measured by infected PCs, and it began exploiting a Windows bug that Microsoft patched with an emergency update in October 2008. In January, a second variant infected millions more machines.
A third version, Conficker.c, surfaced earlier this month and is the one that has everyone twitchy. This is the edition that's been pushed to some of the PCs already infected with earlier variants -- Conficker.a and Conficker.b -- but doesn't spread on its own to new victims.
What's up with Conficker.c? This tougher strain includes a number of new defensive measures to "armor and harden the existing infections," as Vincent Weafer, vice president of Symantec Corp.'s security response group, put it last week.
What has people anxious about Wednesday, however, is that's when Conficker.c can start using a new communication scheme to establish a link to its command-and-control servers.
Earlier versions of the worm generated a list of 250 possible domains each day that the malware could use to route instructions from the hacker controllers, but Conficker.c cranks out a list of 50,000 Web addresses daily. Most researchers believe that's a direct response to work begun last month by the "Conficker Cabal," an ad hoc consortium of researchers, companies and organizations that have joined forces to disrupt the worm's communications by registering as many of the 250 daily domains as possible.
So? Worms "phone home" all the time. What's so special about Conficker.c and April 1? The April 1 date, which is hard-coded into the worm, has people spooked because of two things: the size of the infected PC pool and a lack of information about what the hackers intend to do once those victimized machines try to reach hacker HQ.
According to some estimates, as many as 12 million PCs have been infected with the worm since it first struck late last year. Symantec, however, recently pegged the number of currently infected systems at 3 million, while F-Secure Corp. said it was more likely in the 1 million-to-2 million range.
At any of those numbers, however, Conficker would be enormous by botnet standards.
What will happen Wednesday when Conficker.c switches on its new "phone home" algorithm? No one knows. And that's a problem.
"It's impossible to know until we see something that has a clear profit motive," said Joe Stewart, noted botnet researcher and director of malware research at SecureWorks Inc., in an interview last week.
Because Conficker's makers upped the ante to take on the cabal, and because security researchers really have no clue what orders they will give infected PCs, speculation has been, to put it kindly, rampant. Some have argued that the massive botnet could go on a distributed denial-of-service (DDoS) rampage, crippling huge chunks of the Web. Others, including Stewart, say the whole thing is probably one giant April Fool's joke.
- Researchers turn Conficker's own P2P protocol against itself
- Conficker botnet could flood Web with spam
- IT was ready for April 1 Conficker attack
- Conficker, the Internet's No. 1 threat, gets an update
- IT Blogwatch: Conficker botnet wakes up and smells the coffee
- Conficker's makers lose big, expert says
- Conficker activation passes quietly, but threat isn't over
- FAQ: Just the facts on Conficker
- Learn More About Peer 1 Hosting's Mission Critical Cloud Mission Critical Cloud from Peer 1 Hosting is enterprise-ready, creating a perfect point of adoption whether you need an off-premise solution for development
- What Makes a Cloud Solution Truly Enterprise-Grade? Future enterprise cloud capabilities will evolve from five core elements...
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade.
- Peer 1's Mission Critical Cloud: Your Cloud, Your Way Peer 1 Hosting's Mission Critical Cloud offers the ultimate in flexible customization of infrastructure, resources and support. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!