FAQ: Conficker clock ticks toward April 1 deadline
Hype or one heck of a worm? Q&A takes on 2009's most-publicized threat
Computerworld - When a computer worm reaches the critical mass necessary to make it onto last Sunday's 60 Minutes, you know it's either a once-in-a-blue-moon threat or something that's been hyped beyond belief.
The attention that this worm has received is staggering, especially in the past few days as a deadline -- April 1 of all days -- approaches. Although the technical press has been covering Conficker since its appearance late last year, in large part because it exploited one of Microsoft Corp.'s rare "out-of-cycle" patches, the larger world only seemed to wake up to the worm in the past week.
Cue Lesley Stahl....
So is it, as the 60 Minutes segment called it, "a sleeper cell" or just another worm asleep at the wheel?
We posed some of the pressing questions about Conficker and its looming deadline, and answered them. More will undoubtedly follow as the saga continues.
I've been living in a cave since Jan. 1. What's Conficker? Also called Downadup, Conficker is the biggest worm in years as measured by infected PCs, and it began exploiting a Windows bug that Microsoft patched with an emergency update in October 2008. In January, a second variant infected millions more machines.
A third version, Conficker.c, surfaced earlier this month and is the one that has everyone twitchy. This is the edition that's been pushed to some of the PCs already infected with earlier variants -- Conficker.a and Conficker.b -- but doesn't spread on its own to new victims.
What's up with Conficker.c? This tougher strain includes a number of new defensive measures to "armor and harden the existing infections," as Vincent Weafer, vice president of Symantec Corp.'s security response group, put it last week.
What has people anxious about Wednesday, however, is that's when Conficker.c can start using a new communication scheme to establish a link to its command-and-control servers.
Earlier versions of the worm generated a list of 250 possible domains each day that the malware could use to route instructions from the hacker controllers, but Conficker.c cranks out a list of 50,000 Web addresses daily. Most researchers believe that's a direct response to work begun last month by the "Conficker Cabal," an ad hoc consortium of researchers, companies and organizations that have joined forces to disrupt the worm's communications by registering as many of the 250 daily domains as possible.
So? Worms "phone home" all the time. What's so special about Conficker.c and April 1? The April 1 date, which is hard-coded into the worm, has people spooked because of two things: the size of the infected PC pool and a lack of information about what the hackers intend to do once those victimized machines try to reach hacker HQ.
According to some estimates, as many as 12 million PCs have been infected with the worm since it first struck late last year. Symantec, however, recently pegged the number of currently infected systems at 3 million, while F-Secure Corp. said it was more likely in the 1 million-to-2 million range.
At any of those numbers, however, Conficker would be enormous by botnet standards.
What will happen Wednesday when Conficker.c switches on its new "phone home" algorithm? No one knows. And that's a problem.
"It's impossible to know until we see something that has a clear profit motive," said Joe Stewart, noted botnet researcher and director of malware research at SecureWorks Inc., in an interview last week.
Because Conficker's makers upped the ante to take on the cabal, and because security researchers really have no clue what orders they will give infected PCs, speculation has been, to put it kindly, rampant. Some have argued that the massive botnet could go on a distributed denial-of-service (DDoS) rampage, crippling huge chunks of the Web. Others, including Stewart, say the whole thing is probably one giant April Fool's joke.
- Researchers turn Conficker's own P2P protocol against itself
- Conficker botnet could flood Web with spam
- IT was ready for April 1 Conficker attack
- Conficker, the Internet's No. 1 threat, gets an update
- IT Blogwatch: Conficker botnet wakes up and smells the coffee
- Conficker's makers lose big, expert says
- Conficker activation passes quietly, but threat isn't over
- FAQ: Just the facts on Conficker
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts