Thursday, April 02, 2009

Conficker worm reaches go time, to no effect

The Conficker Internet worm's feared April Fools' Day throwdown for control of millions of infected PCs stirred lots of panic but came and went with a whimper.


Family Fun Destinations


Security experts say some Conficker-infected computers — those poisoned with the latest version of the worm — started "phoning home" for instructions more aggressively Wednesday, trying 50,000 Internet addresses instead of 250. However, security companies monitoring the worm remained successful at blocking the communications.

"We didn't see anything that wasn't expected," said Paul Ferguson, a security researcher at antivirus software maker Trend Micro Inc. "I'm glad April 1 happened to be a nonevent. People got a little too caught up in the hype on that. (The infected computers) didn't go into attack mode, planes didn't fall out of the sky or anything like that."

The worm can take control of unsuspecting PCs running Microsoft's Windows operating system. Tied together into a "botnet," these PCs can be directed to send spam, carry out identity-theft scams and bring down Web sites by flooding them with traffic.

That's why the April 1 change in Conficker's programming was a small twist — and not the end of the story. The network of Conficker-infected machines could still spring to life and be used for nefarious deeds.

One scary element is that Conficker's authors have given the infected PCs peer-to-peer abilities, which allows them to update each other and share malicious commands through encrypted channels. That ability means the computers don't have to contact a Web site at all, and the communications are protected.

And the criminals behind Conficker are likely taking their time.

"The people who are pulling the strings on this are very slow and determined and measured in making modifications to this botnet," Ferguson said. "Basically, they're building a layer of survivability."

Executive Openings! C-level Execs., Senior VPs, VPs, Directors & Managers. $80,000 to $500,000+


Conficker spreads without human involvement, moving from PC to PC by exploiting a security hole in Microsoft Corp.'s Windows operating system. In October, Microsoft issued a software update, called a "patch," to protect PCs from the vulnerability, but not everyone applied the patch.

In one telltale sign of an infected machine, Conficker blocks Microsoft's site as well as those of most antivirus companies. Computer owners can work around that obstacle by having someone else e-mail them a Conficker removal tool.

Security researchers don't have a firm estimate of the number of Conficker-infected machines. There appear to be at least 3 million infected PCs, and possibly as many as 12 million, but tallies vary because some machines may have been counted multiple times, and the number fluctuates as PCs are scrubbed clean of the infection while other machines are compromised.

No comments: