Tuesday, March 31, 2009

FAQ: Conficker clock ticks toward April 1 deadline


By Gregg Keizer, Computer World

Hype or one heck of a worm? Q&A takes on 2009's most-publicized threat

wormWhen a computer worm reaches the critical mass necessary to make it onto last Sunday's 60 Minutes, you know it's either a once-in-a-blue-moon threat or something that's been hyped beyond belief.

The attention that this worm has received is staggering, especially in the last few days as a deadline -- Wednesday, April 1 of all days -- approaches. Although the technical press has been covering Conficker since its appearance late last year, in large part because it exploited one of Microsoft's rare "out-of-cycle" patches, the larger world only seemed to wake up to the worm in the last week.

So is it, as the 60 Minutes segment called it, "a sleeper cell," or just another worm asleep at the wheel?

We posed some of the pressing questions about Conficker and its looming deadline, and answered them. More, undoubtedly, will follow as the saga continues.

I've been living in a cave since Jan. 1. What's Conficker? Conficker, also called Downadup, is the biggest worm in years as measured by infected PCs, and began exploiting a Windows bug that Microsoft patched with an emergency update in October 2008. Since then a second variant, which was released in January, infected millions more machines.

A third version, Conficker.c, surfaced earlier this month, and is the one that has everyone twitchy. This is the edition that's been pushed to some of the PCs already infected with earlier variants -- Conficker.a and Conficker.b -- but doesn't spread on its own to new victims.

What's up with Conficker.c? This tougher strain includes a number of new defensive measures to, as Vincent Weafer, vice president of Symantec Corp.'s security response group, put it last week, are meant to "armor and harden the existing infections."

What has people anxious about Wednesday, however, is that's when Conficker.c can start using a new communication scheme to establish a link to its command-and-control servers.

Earlier versions of the worm generated a list of 250 possible domains each day that the malware could potentially use to route instructions from the hacker controllers, but Conficker.c cranks out a list of 50,000 URLs daily. Most researchers believe that's a direct response to work begun last month by the "Conficker Cabal," an ad-hoc consortium of researchers, companies and organizations that joined forces to disrupt the worm's communications by registering as many of the 250 daily domains as possible.

So? Worms "phone home" all the time. What's so special about Conficker.c and April 1? The April 1 date, which is hard-coded into the worm, has people spooked because of two things: The size of the infected PC pool, and a lack of information about what the hackers intend to do once those victimized machines try to reach hacker HQ.

According to some estimates, as many as 12 million PCs have been infected with the worm since it first struck late last year. Symantec, however, recently pegged the number of currently infected systems at 3 million, while F-Secure Corp. said it was more likely in the 1 million to 2 million range.

At any of those numbers, however, Conficker would be enormous by botnet standards.

What will happen Wednesday when Conficker.c switches on its new "phone home" algorithm? No one knows. And that's a problem.

"It's impossible to know until we see something that has a clear profit motive," said Joe Stewart, noted botnet researcher and director of malware research at SecureWorks Inc., in an interview last week.

Because Conficker's makers upped the ante to take on the cabal, and because security researchers really have no clue what orders they will give infected PCs, speculation has been, to put it kindly, rampant. Some have argued that the massive botnet could go on a distributed denial-of-service (DDoS) rampage, crippling huge chunks of the Web. Others, including Stewart, say the whole thing is probably one giant April Fool's joke.

What do most researchers think will happen Wednesday? Nothing at all.

"The probability of a major [Conficker]-related event taking place on April 1 is really not very likely," said Weafer of Symantec, in an e-mail today. "In reality, the author or authors probably didn't intend for this malware to get as much attention as it has."

SecureWorks' Joe Stewart agrees. "If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn't do it on the one day everyone is watching for it," he said in a separate e-mail.

Other researchers have noted that because Conficker.c controls far fewer PCs than either of its predecessors -- the majority were infected with Conficker.b -- even if the hackers make a move on Wednesday, it will be minor.

How do I know if I'm already infected with Conficker.c? The easiest way is to try to reach some of the popular Web sites that Conficker blocks. If you can't get to microsoft.com, symantec.com, mcafee.com and secureworks.com, it's likely you've lost control of your computer to Conficker. (The complete list of all 114 domains that the worm blocks can be found in SRI International's excellent analysis of Conficker.c.)

I'm infected! What do I do? Run one of the many Conficker detection and cleaning tools to scrub the worm from your system. You can also use these tools to verify that your PC is, in fact, owned by the hackers.

Among your choices are removal utilities from: F-Secure, McAfee (download "W32/Conficker Stinger"), and Symantec.

Note: If your system is infected, you won't be able to reach these download sites from that PC (see the previous question). Instead, download the tool from a clean machine, stick it on a flash drive and transfer it to the infected box.

I think my PC's safe so far, but what can I do to protect it from future infection? The first thing you should do is apply the MS08-067 patch that Microsoft issued last October.

Second, make sure your antivirus software is running and up-to-date. Third, apply this Feb. 24 patch from Microsoft, then disable Windows' Autorun feature, which Conficker.b can abuse in its attempt to spread via USB devices like flash drives.

*ComputerWorld.com

No comments:

Post a Comment

Contact The Wizard!
(he/him)