Conficker Researchers Counter April 1 Update With Detection Scan

Preceding the anticipated April 1 Conficker evolution, a SANs Institute report indicated that researchers involved in the German Honeynet Project found an anomaly in Conficker that makes it possible to detect the malware on infected hosts with a sophisticated fingerprint scan, giving security administrators an accessible and easy-to-use tool to help combat the sophisticated botnet.

The Honeynet Project already released a breakthrough proof of concept scanner and starting mid-Monday, signatures will be available from several network scanning programs, including McAfee's Foundstone Enterprise, Tenable Network Security's Nessus, and open source Nmap, along with products from Qualys -- all of which will be freely available to the public.

Until recently, there were only two ways to detect Conficker, which included monitoring outbound network connections for individual computers, or target scanning each computer -- both of which were labor- and resource-intensive endeavors with limited success rates, security experts said.

The project was spearheaded by Dan Kaminsky, director of penetration testing at security company IOActive, along with German researchers Tillmann Werner and Felix Leder.

Security researchers discovered earlier in March that the Conficker malware is set to evolve April 1, indicating that systems infected with the latest Conficker variant, Conficker.C, will start to contact exponentially more Internet domains, possibly for new instructions. Specifically, the Conficker C variant comes with a changed domain generation algorithm, giving it almost unfettered access to hundreds or thousands of the 50,000 newly generated domains.

Security researchers maintain that the Conficker C's new update mechanism echoes behavior of previous variations -- Conficker A and B -- the one difference being that version C ups the stakes to 50,000 new domains.

"Even though it's nothing new, they've upped the stakes to 50,000 endpoints they can connect to," said Derek Manky project manager for cyber security and threat research for Fortinet. "What we're seeing is that it's just more robust, and from a research standpoint, there's enhanced infrastructure."

Meanwhile, despite the worm's impending evolution resulting in copious domain generation, security experts contend that the update will likely not herald a massive attack or imply any other kind of widespread computer network doom.

"All of today's threats are fundamentally about making money," said Dean Turner, director of the Symantec Global Intelligence Network. "(The Conficker malware is) valuable to them. The one thing they don't want to do is light up the sky with all the machines they have that's going to identify where they are."

Turner said that while a massive denial of service attack on April 1 was possible, it was not likely. Instead there was a strong chance that the renowned botnet would remain dormant, or be used for something more innocuous, such as turning the infected PCs to spam-distributing hosts.

"In a worst case scenario, it could be used in a denial-of-service attack, but that doesn't make much sense," Turner said. "There is a lot of money to be made utilizing that kind of crimeware. Why would [hackers] want to ensure that the good guys are going to take [them] out? [They] want to be stealthy."

Manky agreed that while the Conficker update wouldn't result in an Internet meltdown, the worm's latest evolution was something that should further galvanize the security community to action.

"(Malware authors) are investing time and money into building infrastructure and having control over it," Manky said. "It's a good example of what we've seen in the past. Once they have the control, they can do whatever they wish."

The Conficker worm first emerged in October when the malware authors exploited a Microsoft security vulnerability occurring in the way the Server Service handles RPC requests. While Microsoft issued an emergency out-of-band patch that repaired the glitch, the fix came too late to impede the spread of the malicious worm.

Since then, Conficker has evolved to become one of the most sophisticated and evasive botnets in history, with the ability to spread rapidly via peer-to-peer networks and USB drives. The worm also added numerous defensive measures designed to evade detection and removal by disabling Windows Automatic Updates and Windows Security Center. Version C also had the ability to block access to several security vendors' Web sites while evading numerous antivirus products.

Security experts maintain that while Conficker will likely remain a threat for months or years to come, users can protect themselves by ensuring that their Windows systems are patched with the latest security updates as well as keeping the latest version of antivirus, antispyware and firewall solutions.