FAQ: Conficker clock ticks toward April 1 deadline
Hype or one heck of a worm? Q&A takes on 2009's most-publicized threat
Computerworld - When a computer worm reaches the critical mass necessary to make it onto last Sunday's 60 Minutes, you know it's either a once-in-a-blue-moon threat or something that's been hyped beyond belief.
The attention that this worm has received is staggering, especially in the past few days as a deadline -- April 1 of all days -- approaches. Although the technical press has been covering Conficker since its appearance late last year, in large part because it exploited one of Microsoft Corp.'s rare "out-of-cycle" patches, the larger world only seemed to wake up to the worm in the past week.
Cue Lesley Stahl....
So is it, as the 60 Minutes segment called it, "a sleeper cell" or just another worm asleep at the wheel?
We posed some of the pressing questions about Conficker and its looming deadline, and answered them. More will undoubtedly follow as the saga continues.
I've been living in a cave since Jan. 1. What's Conficker? Also called Downadup, Conficker is the biggest worm in years as measured by infected PCs, and it began exploiting a Windows bug that Microsoft patched with an emergency update in October 2008. In January, a second variant infected millions more machines.
A third version, Conficker.c, surfaced earlier this month and is the one that has everyone twitchy. This is the edition that's been pushed to some of the PCs already infected with earlier variants -- Conficker.a and Conficker.b -- but doesn't spread on its own to new victims.
What's up with Conficker.c? This tougher strain includes a number of new defensive measures to "armor and harden the existing infections," as Vincent Weafer, vice president of Symantec Corp.'s security response group, put it last week.
What has people anxious about Wednesday, however, is that's when Conficker.c can start using a new communication scheme to establish a link to its command-and-control servers.
Earlier versions of the worm generated a list of 250 possible domains each day that the malware could use to route instructions from the hacker controllers, but Conficker.c cranks out a list of 50,000 Web addresses daily. Most researchers believe that's a direct response to work begun last month by the "Conficker Cabal," an ad hoc consortium of researchers, companies and organizations that have joined forces to disrupt the worm's communications by registering as many of the 250 daily domains as possible.
So? Worms "phone home" all the time. What's so special about Conficker.c and April 1? The April 1 date, which is hard-coded into the worm, has people spooked because of two things: the size of the infected PC pool and a lack of information about what the hackers intend to do once those victimized machines try to reach hacker HQ.
According to some estimates, as many as 12 million PCs have been infected with the worm since it first struck late last year. Symantec, however, recently pegged the number of currently infected systems at 3 million, while F-Secure Corp. said it was more likely in the 1 million-to-2 million range.
At any of those numbers, however, Conficker would be enormous by botnet standards.
What will happen Wednesday when Conficker.c switches on its new "phone home" algorithm? No one knows. And that's a problem.
"It's impossible to know until we see something that has a clear profit motive," said Joe Stewart, noted botnet researcher and director of malware research at SecureWorks Inc., in an interview last week.
Because Conficker's makers upped the ante to take on the cabal, and because security researchers really have no clue what orders they will give infected PCs, speculation has been, to put it kindly, rampant. Some have argued that the massive botnet could go on a distributed denial-of-service (DDoS) rampage, crippling huge chunks of the Web. Others, including Stewart, say the whole thing is probably one giant April Fool's joke.
- Researchers turn Conficker's own P2P protocol against itself
- Conficker botnet could flood Web with spam
- IT was ready for April 1 Conficker attack
- Conficker, the Internet's No. 1 threat, gets an update
- IT Blogwatch: Conficker botnet wakes up and smells the coffee
- Conficker's makers lose big, expert says
- Conficker activation passes quietly, but threat isn't over
- FAQ: Just the facts on Conficker
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts