Thursday, April 2, 2009

No Serious Threat from Conficker on April 1

The most recent variant of the Conficker worm, also known as W32.Downadup.C, is scheduled to update itself April 1. But analysts who have examined the code say it appears to be an upgrade of its defenses rather than an attack by a widespread botnet compromised by the worm.

"There is no reason to believe that April 1 will be any different from any other day," said Kevin Haley, director of Symantec Security Response.



The worm uses an algorithm to generate a pseudo-random list of domains for its command-and-control network, which its infected clients check daily for instructions. Symantec analysts believe that on April 1 the malware will begin using a new algorithm to determine what domains it will contact.

"It now generates 500 domains every day," Haley said. "It's going to do 50,000" with the new algorithm. Because a command-and-control server is a weak spot whose elimination can disable a botnet, the update could make Downadup more difficult to attack. But it does not mean the worm is more likely to attack others.

"This certainly is an issue of concern, but the probability of a major cyber event taking place on April 1 is really not very likely," said Vincent Weafer, vice president of Symantec Security Response. "In reality, the author or authors of Downadup probably didn't intend for this malware to get as much attention as it has."

The current economic model for criminal hacking calls for a low and slow approach that does not draw attention to activities. Although estimates of Downadup infections range as high as 10 million devices, the current size of the network of available computers is probably a couple million, and so far they do not appear to have been put to work as a botnet.

"It's a good-sized network," Haley said. But "we may never see a big bang" from it.

The worm's success and the interest it has generated stem from the combination of tools it uses to spread and protect itself, although none of the tools is unique.

"This is the most technically interesting worm we've seen because of the way it spreads, as well as the communication mechanism, its encryption types and the methods it uses to contact its command-and-control servers," said Andrew Storms, director of security operations at nCircle, a network security automation company.

"It's good at what it does, and it looks like there is some thought and organization behind it," Haley said.

The original W32.Downadup.A exploited only the MS08-067 vulnerability in Microsoft Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 operating systems, for which Microsoft issued a patch outside its regular monthly patching cycle. The more recent B variant added password guessing and the ability to copy itself to USB drives, giving it a wider dissemination throughout a network once it is inside. The authors of the malware appear to be trying to gather networks' low-hanging fruit.

Its high visibility has made Downadup risky for those who plan to use it.

"This is eerily reminiscent of the major worms of five years or more ago," said Chris Schwartzbauer, senior vice president of worldwide sales and marketing at Shavlik Technologies. The high visibility of worms such as Sasser, Blaster and Code Red prompted networks to protect themselves.

Although the latest Downadup variant could have a more secure communication method, the worm already has the ability to communicate peer-to-peer, and there would be no reason to think it is waiting for April 1 for a major command, Haley said.

The advice of most experts is to stay patched and stay calm. Tools are available to detect and remove the worm, and organizations with up-to-date patches should be safe.

"Most enterprises already are using a patch management process and following industry best practices," Storms said. "They are likely already patched and protected from a Conficker infection."


Spammers Retool for Renewed Assault
April 1: D-Day for the Conficker Worm
Five Secrets Of The ‘Watchmen’ Universe