Home > Uncategorized > An Update on the Conficker Worm

An Update on the Conficker Worm

An Update on the Conficker Worm

Nearly six months ago I wrote a blog entry on the Conficker worm. At the time, Conficker D had just surfaced. Although similar in many ways to Conficker A, B and C, this version added several new troublesome functions:

• A new custom peer-to-peer protocol used to scan for infected hosts and push or pull (depending on which is appropriate) the latest version of its code.

• Blocking of DNS lookups that would otherwise allow an infected host to connect to and download security-related updates (e.g., anti-virus updates and Windows Updates).

• Disabling of Windows Safe Mode, anti-virus software, and updates in security-related products such as anti-virus tools.

• Creation of a botnet by installing bots in infected systems. The botnet is programmed to launch distributed denial of service (DDoS) attacks on demand.

Conficker’s authors were not through yet, however; version E surfaced only a few weeks after Conficker D was released. Version E is very similar to Conficker D, with the exception that the former sends spam and pops up scareware.

What I find so interesting about the evolution of this worm is that a version designed to make money for the authors did not surface until almost six months after this worm was first released. Clearly, profit was not originally a motive for creating and releasing it, something that very much bucks a pronounced trend in the malware arena. There is considerable money to be made from Conficker E—spam is quite profitable for those who learn to do it right, and because “a sucker is born every minute,” many gullible users have already fallen prey to Conficker’s scareware tactics.

No new version of Conficker has emerged in nearly five months. What are its authors doing and what are they planning to do in the future? According to one estimate, this worm is still infecting 90,000 new Windows systems every day. Furthermore, the authors are almost certainly making at least some money from the functionality of the latest version of this worm. Are the authors content, or have they simply become disinterested in continuing their sordid activity? Are they “on the lam” because they fear being caught by law enforcement? I fear that the answer to each of these questions is “no.” Conficker’s authors may just be “taking the summer off.” Or they may well be planning the next version, one that will be so potent in reproducing itself and so malicious that it will constitute an Internet-wide pandemic.

One thing is for sure—Conficker is no “child’s toy.” Its code is exceptionally well written and the worm runs well on systems that it infects. Additionally, many Windows systems are not patched and are poorly configured with respect to security settings. Accordingly, whether or not a pandemic version of Conficker ever emerges, it is safe to bet that Conficker will be around a very long time.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.