What happened to the Conficker virus?
It has been quiet for months. But is there a comeback to be expected. As the worm is self-updating, and has switched from “phone-home” logic to peer-to-peer logic, it is considered autonomous in many ways.
But the software is still updated, and there is still more than 5 million workstations and servers infected, and all these zombies are just hanging around waiting for instructions.
MikkoHypponen (F-Secure) Conficker presentation at BlackHat conference
loss of attention
During first quarter of 2009 the peak estimate was roughly 10 million infected machines. Norwegian police got infected, A London hospital got infected, a major norwegian hospital, among others. The cost of the worm, including indirect cost due to loss of productivity etc can not be estimated. Did it take longer to get back the results from the cancer test? Affecting administrative systems is also affecting patient care.
Conficker was all over the place. But it has lost attention. Media has moved on to Twitter/Facebook and other social networking security issues that are more media friendly than a boring botnet that is idle but growing.
And loss of attention is just what they are waiting for. What is the motivation, what are they going to use this botnet for.
The Conficker Working Group has been fighting the Conficker battle since initial infections late november 2008, but they are actually more on the defensive side 8 months later. Rodney Joffe, director of the Conficker Working Group says:”"Even if we lose against Conficker, there are things we’ve learned that will benefit us in the future.”
Motivation
The resources spent on producing Conficker can be illustrated by the crypto-algorithm used in Conficker-family. They started using MD-6 algorithm in Conficker.B just weeks after first publication of this algorithm, and updated the algorithm in Conficker.C just two weeks after revision for buffer overflow was published. This is slick leading edge worm development.
There have been speculations on whether they have funding from intelligence agency, military, or even a country. Conficker.A employs two checks to avoid infecting systems located within the Ukraine, this code is removed in later versions of the Conficker family. During Conficker.C update there was some code added for a popup to market fake virus software. Most likely a disguise act to make it look like the every day profit worm.
The best-case scenario would be if they are only in it for the money.
Useful tools
F-Secure Easy Clean – Free tool from F-secure to remove Conficker
Windows Malicious Software Tool Scan your system for infections
Make sure you configure Microsoft update to get the latest security patches.
References
- Conficker making a comeback
- United States Computer Emergency Readiness Team (US-CERT) on Conficker
- Stanford Research Institute- Malware Threat Center
- McAfee Avert Labs
- MetaSploit framework
- New York Times on Conficker, august 27th, 2009
- BlackHat conference presentation on Conficker by Mikko Hypponen from F-Secure
- Conficker Working Group
No comments yet.