Conficker April 1 Update Won't Result In Attack, Experts Say

Come April 1, the latest version of Conficker, the malicious computer worm that has infected millions of computers in the creation of a global botnet, is set to launch a new update mechanism that will allow it to communicate unimpeded with its command and control centers for new instructions. Meanwhile, the newest evolution of the worm, known as the Conficker C variant, will come with a changed domain generation algorithm that will open up access to 50,000 newly generated domains.

However, despite the latest evolution of the Conficker worm, security experts don't anticipate a major Internet meltdown on Wednesday, April 1.

The reason? Creators of the Conficker worm probably don't want to launch an attack under the watchful gaze of the public, experts say. Instead, it is very likely that Conficker C will conduct its updates in peace on Wednesday and continue to silently incorporate computers into its massive spam-spewing botnet.

"The analysis has shown that Conficker authors have toned down the number of update requests, which they have done so they can fly under the radar. They want to run a botnet, as big as possible and as healthy as possible," said Wolfgang Kandeck, CTO of security company Qualys. "It's not in their interest to be visible. It's not in their interest to annoy you."

Instead, if there were to be a massive denial-of-service attack, it will likely come unexpectedly, after the publicity has died down, Kandeck said.

Meanwhile, subsequent attacks might be a little bit more difficult now than before, experts say. Over the weekend, security researchers finalized the development of a Conficker scanning tool that has the ability to monitor and remediate the Conficker worm on infected machines.

One of Conficker's telltale calling cards is its ability to repair its own vulnerability once it has infected a PC -- possibly to keep competing worms and malware from occupying the same space. However, the breakthrough tool, developed as part of the German Honeynet Project, relies on a sophisticated fingerprint-scanning technique that is able to distinguish between a regular Microsoft-issued patch, which closes the hole completely, and a Conficker-created patch, which leaves a small opening for itself.

Since the tool's release over the weekend, numerous vendors, including Qualys, McAfee's Foundstone Enterprise, Tenable Network Security's Nessus, open-source Nmap and others with network-scanning programs have offered variations of the tool as a free download available for consumers.

However, Kandeck said that while the tool is a major step in combating the Conficker worm, it will likely be blocked or circumvented by new versions of the worm down the road.

"We will see how long this will hold up," he said. "The Conficker people, they are smart. If I were them, I would change the way that I do this."

The Conficker worm first emerged in October when attackers exploited a Microsoft security vulnerability occurring in the way the Server Service handles RPC requests. Shortly thereafter, Microsoft issued an emergency out-of-band patch repairing the glitch, and warned users that the attack was already loose in the wild. However, the fix came a little too late to stop the spread of the Conficker worm, and the malware propagated rapidly via users' unpatched systems.

Since then, Conficker has evolved to become one of the most sophisticated and evasive botnets in history, with the ability to spread rapidly via peer-to-peer networks and USB drives. The worm also added numerous defensive measures designed to evade detection and removal by disabling Windows Automatic Updates and Windows Security Center. Conficker Version C also has the ability to block access to several security vendors' Web sites and evading numerous antivirus products.

Despite the severity of the emerging Conficker C variant, Dave Marcus, security research and communications manager for McAfee, said that users can protect themselves by updating their systems with the latest security patch, as well as conducting virus scans that require a reboot and running up-to-date antivirus software.

"Patch out in a reasonable time. People just have to heed the call, especially when there's a piece of active malware taking advantage of that vulnerability," Marcus said.

Meanwhile, Marcus said that the high-profile nature of Conficker, along with its speed and sophistication, have underscored the importance of patching systems with the latest security updates.

"Certainly there's a different process [for different organizations]. That being said, there's still an onus to get it done in a reasonable period of time," Marcus said. "People have either heeded the advice or they haven't. At this point, I don't think it's possible for us to put out the message anymore."