Conficker: April 1 Update Passed, But Attack Still Possible


Despite the pomp and circumstance surrounding Conficker, computers systems weren't shut down, infrastructure remained intact and the Internet as we know it didn't implode once the April 1 update had passed.

Now as the prolific Internet worm starts to fade from public scrutiny, many are left to ponder the reason for the hype as well as Conficker's path going forward.

"The 24 hour news cycle -- it affected everybody," said Rami Habal, director of product marketing for security company Proofpoint. "The secret dark world of hackers, it's always been intriguing."

The worm first came into the limelight in October 2008, after attackers exploited a Microsoft vulnerability in the way the Server Service handles RPC requests. Since then, earlier versions of the worm, Conficker A and B, spread at unprecedented rates, infecting millions of computers with techniques that ranged from brute force password guessing to transmission through USB sticks and peer-to-peer sites.

Sponsored post

While the latest version, Conficker C, didn't have the same self-replication qualities as its predecessors, it ensured its own survival with unique self-preservation traits that included blocking user access to security vendor sites and evading numerous antivirus products. And unlike other worms, Conficker has the unique ability to patch its own vulnerability once it has infected a machine, presumably to prevent competing malware from taking its place.

Meanwhile, April 1 marked the day when the resulting global botnet was scheduled to undergo an update that provided a new domain generation algorithm. The new algorightm allowed its infected computers to "call home" to a much longer list of command and control centers -- altogether about 500 of the 50,000 newly generated domains -- possibly to receive new instructions.

Security experts say that one of the reasons Conficker received its heightened media play was due the sheer numbers of victims combined with its renowned sophistication and technical superiority.

"The capabilities in this Conficker virus are extremely sophisticated," said Habal. "And the one thing that is in the back of people's minds, if attackers wanted to do something, they could."

Yet the renowned worm has thus far has been relatively benign. Conficker has primarily infected millions of PCs around the globe, in particular affecting users in Brazil, Russia, China and other Asian countries that consistently use pirated Windows software, which doesn't receive automatic security updates, experts say. But so far, Conficker has remained silent.

But they also say we're not out of the woods yet. Now looking forward, many security researchers wonder if the attackers are simply waiting for the publicity to die before launching a massive global attack down the road.

In fact, the worm's real threat lies in its potential for destruction -- a potential which has not yet been realized, experts say. With millions of infected machines at their fingertips, there is a strong possibility that the attackers will use the botnet to launch a massive denial-of-service attack for financial gain, researchers contend.

Even still, experts say that should an attack occur, it would likely not be different than any of the malicious cyber attacks currently being launched on systems around the world.

"There are many other viruses that use similar techniques that basically have the same effect, that do immediately download malware and start to do bad things with your machine," said Keith Crosley, director of market development for Proofpoint. "Conficker does have that huge scope, but is no more or less serious than any of the other viruses."