FAQ: Conficker time bomb ticks, but don't expect boom

Worm's latest variant is set to start hitting random domains on April 1. But security experts say the damage might not be as serious as the hype suggests.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

There's been lots of hype about the fact that the latest variant of the Conficker worm is set to start communicating with other computers on the Internet on April 1--like an April Fool's Day time bomb with some mysterious payload.

But security researchers say the reality is probably going to be more like what happened when the clocks on the world's computers turned to January 1, 2000, after lots of dire predictions about the so-called millennium bug. That is, not much at all.

"It doesn't mean we're going to see some large cyber event on April 1," Dean Turner, director of the global intelligence network at Symantec Security Response, said on Wednesday.

It's likely that the people behind Conficker are interested in using the botnet, which is comprised of all the infected computers, to make money by distributing spam or other malware, experts speculate. To do so, they would need the computers and networks to stay in operation.

"Most of these criminals, even though they haven't done something with this botnet yet, are profit-driven," said Paul Ferguson, an advanced-threats researcher for Trend Micro. "They don't want to bring down the infrastructure. That would not allow them to continue carrying out their scams."

To help clear up some of the confusion about Conficker, here are answers to common questions people may have.

What is Conficker and how does it work?
Conficker is a worm, also known as Kido or Downadup, that cropped up in November. It exploits a vulnerability in Windows that Microsoft patched in October.

Conficker.B, detected in February, added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Conficker.C, which surfaced earlier this month, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer networking and includes a list of 50,000 different domains, of which 500 will be contacted by the infected computer on April 1 to receive updated copies or other malware or instructions. Previous Conficker variants were written to connect to 250 domains a day.

Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on March 13. But a Southwest spokesman said the worm had had no impact on the site.

Where did Conficker come from?
Some pieces of the Conficker code and methodologies it uses are similar to those used in previous botnet worms created by the underground operation known as the Russian Business Network and cohorts in the Ukraine, Ferguson said. But while there is speculation, researchers don't know for sure who is involved, he said.

"There is some evidence to indicate that this might at one point have been tied to distribution of misleading apps and rogue affiliate networks," said Symantec's Turner.

How is it different from other Internet worms?
Conficker has grown increasingly sophisticated with each iteration, with features designed to increase its longevity, most likely in response to researchers' attempts to block it. After researchers began preregistering domains targeted in the code, the Conficker.C authors upped the ante by having the algorithm generate 50,000 possible domains, instead of just 250, throwing a big roadblock into efforts to counter the worm. The creators also are using advanced encryption to obscure the instructions detailing which random 500 of the 50,000 domains will actually be contacted on April 1.

It appears the authors may also be intending to create domain collisions by targeting domains that are already in use by legitimate owners, Ferguson said.

"They're creating collateral damage, throwing a monkey wrench into our ability to counter them," he said. "What they're trying to do is make our lives miserable on any efforts to mitigate the threat."

Some of the tactics, including the domain randomization, inter-node communication, and use of strong encryption, are new, according to Ferguson.

"They are using tactics that are probably the most complex and sophisticated botnet tactics we've seen to date," he said. "This is very professionally architected design and development."

Added Turner: "This is the first widespread distribution of a worm since about 2004," when Sasser came out. That worm was believed to have infected as many as 500,000 computers.

What is being done to fight Conficker?
Microsoft has partnered with all the major security companies and domain registrars and registries to form the Conficker Coalition Working Group. The parties are collaborating on research, trying to put the pieces of the puzzle together and figure out who is behind the worm and how to stop it. They are using techniques like behavioral analysis of the code and reverse engineering, but researchers don't want to reveal too much information on their efforts. "We have made headway but I'm hesitant to talk about how far we've gotten," Turner said.

Researchers in the U.S. are preregistering domains that are targeted, but experts in Canada are going even further. The Canadian Internet Registration Authority is taking steps to block domains generated in Conficker code that fall in the .ca top-level domain from being used in the botnet, the nonprofit agency said. "If other domain registries were able to do the same thing it would go a long way toward helping mitigate some of the ability for the botnet to breathe," Ferguson said.

Conficker has proved to be such a nuisance that Microsoft has even offered a $250,000 reward for information leading to an arrest in the Conficker case.

What can I do?
Computer users should apply the Microsoft patch and update their antivirus and other security software.

Windows users should also apply a Microsoft update for the AutoRun feature in Windows that was released in February. The patch allows people to selectively disable the Autorun functionality for drives on a system or network to provide more security, to ensure that it is truly disabled. In addition to putting USB drive users at risk of Conficker and other viruses, the Autorun functionality has been blamed for infections from digital photo frames and other storage types.

Panda also has released a free "vaccine" tool for blocking viruses that spread through USB drives.

Microsoft has a Conficker removal tool. More botnet information and removal resources are on the Shadowserver Web site.