The Conficker Worm: April Fool's Joke or Unthinkable Disaster? [Telecom]

formatting link
The Conficker Worm: April Fool's Joke or Unthinkable Disaster?

By JOHN MARKOFF MARCH 19, 2009, 6:25 PM

Update | 3:57 p.m. Added links to malware removal tools.

The Conficker worm is scheduled to activate on April 1, and the unanswered question is: Will it prove to be the world's biggest April Fool's joke or is it the information age equivalent of Herman Kahn's legendary 1962 treatise about nuclear war, "Thinking About the Unthinkable"?

Conficker is a program that is spread by exploiting several weaknesses in Microsoft's Windows operating system. Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

An estimated 12 million or more machines have been infected. However, many have also been disinfected, so a precise census is difficult to obtain.

It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft's security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.

Given the sophisticated nature of the worm, the question remains: What is the purpose of Conficker, which could possibly become the world's most powerful parallel computer on April 1? That is when the worm will generate 50,000 domain names and systematically try to communicate with each one. The authors then only need to register one of the domain names in order to take control of the millions of zombie computers that have been created.

Speculation about Conficker's purpose ranges from the benign - an April Fool's Day prank - to far darker notions. One likely possibility is that the program will be used in the "rent-a-computer-crook" business, something that has been tried previously by the computer underground. Just like offers computing time on its network for rent, the Conficker team might rent access to its "network" for nefarious purposes like spamming.

The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode.

According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes.

Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible.

Or perhaps the Conficker botnet's masters have something more Machiavellian in mind. One researcher, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the idea of a "Dark Google." What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers? Malware already does this on a focused basis using a variety of schemes that are referred to as "spear phishing," in a reference to the widespread use of social engineering tricks on the Net.

But to do something like that on a huge scale? That would be a dragnet - and a genuine horror story.

Copyright 2009 The New York Times Company

***** Moderator's Note *****

On the one hand, this article has the old "Written on the subway" flavor of so many of the alarmist tomes that appear in the wake of every major malware outbreak. The ingredients are all there: fearmongering, "once over lightly" technical detail, and predictions of dire consequences to follow - if the readers don't buy the paper tomorrow.

OTOH, it _does_ mention that neither Mac nor Linux computers are subject to the worm. Having Linux recognized as a serious alternative may be worth the hype: although the author did not point out that Linux runs on PC's, like Microsoft's product, just having Linux "out there" in the public consciousness is a step in the right direction.

Tune in tomorrow, film at eleven, ymmv, etc.

Bill Horne Temporary Moderator

Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!

We have a new address for email submissions: telecomdigestmoderator atsign This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.

Reply to
Monty Solomon
Loading thread data ...

formatting link


........ Woo-hoo! something that will force more people into spending even more money upgrading their (obviously) inadequate Windows "security" tools.

Pity we all didn't start buying shares in the anti-malware vendor companies a few weeks ago, their sales figures look like having (yet another) boost......

I do wonder how long a scam has to go on before people realise that is is a scam?

Reply to
David Clayton

If you go to:

formatting link
you can d/l a free detector/remover for Conficker.

Its a zip file, and if you have multiple PCs to check, distribute the zip file and unzip it and run the exe (there are 2, a GUI version and a linemode version) on each PC. It sets something so it will only run once unless you buy the pay version.

Reply to
Rich Greenberg

So far (12:30pm Pacific time, April 1) only one of my customers is suffering from what appears to be Conficker. I have had several calls from non-customers and they sound like mild versions of Conficker. I expect that I'll get to everyone by tonight.

Oh, and PS: I am in the habit of turning off and removing the anti- virus programs from nearly all my customers' computers, feeling confident that Windows firewall, a router, and an updated service pack should be just fine. I also turn off unneeded services. And as I said previously, only one of my hundreds of customers has any problems. So much for needing McAfee, Norton, and the lesser- knowns.

***** Moderator's Note *****

Although this is on the edge for telecom, I'm allowing it in order to encourage a debate about security in the SS7 networks. It occurs to me that it may be possible to code a worm which could allow remote access to central office software, and there are no AV programs in CO's that I know of.

Bill Horne Temporary Moderator

Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!

We have a new address for email submissions: telecomdigestmoderator atsign This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.

Reply to
David Kaye

I can't see how a virus could get on a switch, that is unless some fool teck was using the terminal to go on the net and D/L something, I know we are not allowed to leave our network on company computers. When I need to do something I use my iBook and then I have the VPN set.

Reply to
Steven Lichter

I don't know if the moderator will allow my posting as it is not telecom related.

I strenously disagree with your pactice of removing anti virus programs. It is very easy to visit a URL at a legitimate site which has a malicious advertiser and down comes some malware, scamware, trojan or virus.

A friends public computer in a coffee shop as some kind of malware exe process running about once a week or two. Either the antivirus takes care of it or I poke about for a minute in task manager and I find it and kill it. Invariably these around found in the guest accounts Temporary Internet Files folder.

I should note that his computer is in full view of the public. So any sites to which you'd be ashamed to show your mother aren't visited any more. Indeed one regular male customer is no longer a regular and hasn't been seen for months since the PC was moved.

A few days ago I found two suspicious exes. I moved those exes to a holding folder and waited a few days. And sure enough the anti virus program then found them.

Also consider an incoming email with a malicious attachment. I still get about

10 to 20 of those a month.

Finally there are the 0 day exploits. Microsoft and others simply can't get the patches out fast enough to deal with these. However the anti virus vendors can get their products updated within a few days.


Reply to
Tony Toews [MVP] Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.