Final countdown to Conficker 'activation' begins

T-minus six


Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.

Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.

"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain."

Known unknown

Whether anything will actually be offered for download, much less what the payload might be, is unclear. No particular function or payload currently within the malicious code is due to activate on 1 April. It's also possible that a payload will only be offered up for download days or week after the new call-home routine comes into effect.

If updates are successfully made, infected machines are programmed to suspend call-home activity for 72 hours, as an analysis by Sophos explains.

Lessons from the call back routines of previous variants of the worm provide few clues as to what might happen. Sophos said it never observed the previous Conficker-B variant ever downloading malicious payloads, other than updates to Conficker-B++ and Conficker-C. As a result, there isn't much history to draw upon for any speculation as to the eventual goal of the Conficker botnet.

Anti-virus firms are keeping a close eye on what Conficker might do early next month while downplaying concerns that Downadup will either "erupt" or "explode" on 1 April, deluging us with spam or swamping websites with junk traffic in the process.

"Let's not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib," notes Graham Cluley, senior technology consultant, at Sophos.

Although nothing might happen it's never a bad time for sys admins to check for infection by Conficker on their network. Such infections have already caused widespread problems.

Symantec said that the worm, which had initially focused solely on spreading "has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer protocol". An analysis of the worm, complete with a graphic illustrating the evolution of the worm's propagation, control and defensive features, can be found here.

Windows PCs infected with Conficker (Downadup) are programmed to dial home for updates through a list of pseudo-random domains. Microsoft is heading a group, dubbed the anti-cabal alliance, to block unregistered domains on this list. The more complex call-home routine deployed by Conficker-C comes in apparent response to this move.

Rik Ferguson, a security researcher at Trend Micro, added that blocking call-back domains associated with the latest variant of the worm will be "almost impossible" not only because of the daily volume, but also because there is a possibility that legitimate domains might be hit as a result. Even earlier versions of the worm, calling far fewer domains every day, used algorithms that threw up addresses that coincided with legitimate domains.

Broader topics


Other stories you might like

  • Running Windows 10? Microsoft is preparing to fire up the update engines

    Winter Windows Is Coming

    It's coming. Microsoft is preparing to start shoveling the latest version of Windows 10 down the throats of refuseniks still clinging to older incarnations.

    The Windows Update team gave the heads-up through its Twitter orifice last week. Windows 10 2004 was already on its last gasp, have had support terminated in December. 20H2, on the other hand, should be good to go until May this year.

    Continue reading
  • Throw away your Ethernet cables* because MediaTek says Wi-Fi 7 will replace them

    *Don't do this

    MediaTek claims to have given the world's first live demo of Wi-Fi 7, and said that the upcoming wireless technology will be able to challenge wired Ethernet for high-bandwidth applications, once available.

    The fabless Taiwanese chip firm said it is currently showcasing two Wi-Fi 7 demos to key customers and industry collaborators, in order to demonstrate the technology's super-fast speeds and low latency transmission.

    Based on the IEEE 802.11be standard, the draft version of which was published last year, Wi-Fi 7 is expected to provide speeds several times faster than Wi-Fi 6 kit, offering connections of at least 30Gbps and possibly up to 40Gbps.

    Continue reading
  • Windows box won't boot? SystemRescue 9 may help

    An ISO image you can burn or drop onto a USB key

    The latest version of an old friend of the jobbing support bod has delivered a new kernel to help with fixing Microsoft's finest.

    It used to be called the System Rescue CD, but who uses CDs any more? Enter SystemRescue, an ISO image that you can burn, or just drop onto your Ventoy USB key, and which may help you to fix a borked Windows box. Or a borked Linux box, come to that.

    SystemRescue 9 includes Linux kernel 5.15 and a minimal Xfce 4.16 desktop (which isn't loaded by default). There is a modest selection of GUI tools: Firefox, VNC and RDP clients and servers, and various connectivity tools – SSH, FTP, IRC. There's also some security-related stuff such as Yubikey setup, KeePass, token management, and so on. The main course is a bunch of the usual Linux tools for partitioning, formatting, copying, and imaging disks. You can check SMART status, mount LVM volumes, rsync files, and other handy stuff.

    Continue reading

Biting the hand that feeds IT © 1998–2022