The Conficker worm that has left a trail of destruction in its wake for the last six months is set for a new evolution April 1 that will enable it to stealthily launch a variety of malware attacks unbeknownst to the security community.
Security experts say that the new Conficker variant, which has infected at least 12 million users around the globe since its creation in October, will contain a new update mechanism that will allow it to communicate with its command and control centers to upload new marching orders and launch attacks at will.
Part of the new update will include a refreshed ability to dodge scrutiny from the security community, which has thus far been able to intercept communication between the worm and its domains. After April 1, however, the new Conficker variant will contain code that will prevent the security community from blocking updates.
"The Internet as we know it will still exist," said Paul Henry, security and forensic analyst for Lumension Security. "But what (the security community has) been doing will no longer work after April 1. There's great concern in the security community because they're no longer able to block the command and control communication of this botnet."
Like other renowned worms, Conficker relies on numerous attack vectors to self-replicate and spread, using such techniques as brute force password guessing to propagate throughout a network.
The latest and most sophisticated variant -- Version C -- of the Conficker worm, was renowned for infecting copious networks via peer-to-peer networks and USB drives. It also added numerous defensive measures designed to evade detection and removal by disabling Windows Automatic Updates and Windows Security Center. In addition, version C had the ability to block access to several security vendors' Web sites while rendering numerous antivirus products useless.
Now it will crank up the number of domains it can check for updates. Thus far, Conficker has been in contact with about 250 URLs at regular intervals, which has allowed the security community to predict and block its update communications. However, Henry said that the new version will allow the malware to contact more than 50,000 URLs at random, making it "difficult if not literally impossible" for members of the security community to block update communications with individual bots.
"It just means they can launch (attacks) at will and there's nothing we can do about it," Henry said. "The botnet has literally shrunk over the last month. This is going to give it the opportunity to scale back up again."
Henry said that he anticipated that security researchers will very likely get their hands on Conficker's refreshed code very shortly after its evolution April 1.
Previous Conficker versions A and B rapidly propelled the malware around the globe, infecting millions of computers worldwide which were incorporated in a malicious botnet.
The worm has significantly evolved since its authors first exploited a critical Microsoft vulnerability in the way the Server Service handles RPC requests. One of the worm's biggest distinguishing features is its ability to patch its own vulnerability on the machines that it infects, possibly to prevent the machine from becoming infected by competing malware, experts say.
Microsoft issued an emergency out-of-band patch in October of 2008 repairing the vulnerability, but it appeared that not enough users diligently applied the patch before attack code was let loose in the wild.
Henry said that Conficker's rapid spread and destructive wake could have been preventable had users simply patched their systems in October when Microsoft released a fix for the malware.
"We wouldn't be having this problem if everyone had patched back in October," he said. "That's the sad part about it, it was completely preventable."