Don’t panic. If you’re reading this, you’re probably not infected with Conficker.C. If you were already infected, you wouldn’t be able to access any page on secureworks.com, due to the worm author’s apparent dislike for the removal instructions we posted for earlier Conficker variants. So we have joined the list of over a hundred sites Conficker.C victims just can’t visit. (Of course, the worm still doesn’t block any sites if you are using an HTTP proxy, but this could change after its author reads this blog post).

If you’ve been reading any news at all on the Internet in the past week, you’ve probably heard that Conficker Armageddon is approaching, and it’s scheduled for April 1st, only a few days from now. The SecureWorks Counter Threat Unit has been receiving an increasing number of inquiries asking what one needs to do to prepare for the impending April 1st outbreak.

The truth is, there will be no April 1st outbreak, despite what some of the press stories have said so far. The only thing that will happen with Conficker on April 1st is that already-infected systems will begin to use a new algorithm to locate potential update servers. There, that’s not so scary, is it?

So why all the fuss over the 1st? It all started over a massive increase in the number of domain names being used by the worm to find control servers. In the A and B variants, there were only 250 possible domain names each day at a handful of top-level domains (TLDs) for the worm to utilize. Then, along came the Conficker Working Group (nee Conficker Cabal) who set about learning the algorithm and disabling the domain names ahead of time. This didn’t sit well with the Conficker author(s), so Conficker.C was released with some additional features.

First, it would now use its own peer-to-peer protocol to allow infected nodes to update each other without the use of a centralized command-and-control server. (One might think this could allow other parties to gain control over the botnet created by the worm, but the author included digital signature checks into the code – no updates will be accepted by Conficker unless they are signed by the author’s private encryption key.)

Second, Conficker.C will use a new algorithm to generate 50,000 unique controller domain names at 110 different TLDs every day. This activity is set to start on April 1st, and since it seems too large a problem for even the Conficker Working Group to handle, the press is worried that this massive botnet might finally be unleashed to wreak havoc upon the world’s networks.

But you should not fear April 1st, 2009, and here’s why:

1. Conficker.C is already able to receive updates via its P2P protocol today, so focusing on the April 1st date is misguided.
2. Don’t underestimate the reach of the Conficker Working Group. These are the security industry’s heavy-hitters, and you can be sure they are working diligently to mitigate the domain issue.
3. Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly.
4. If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.

My personal opinion is that the April 1st activation of the new algorithm may simply be a distraction, a kind of practical joke on the part of the worm author(s). Conficker may not be something to laugh about, but it’s also not quite as serious as one might believe from reading about it in the press.

If you’ve already taken steps to protect your network against Conficker and similar network worms, you’ll have plenty of time on April 1st to read all the same old fake news stories/blog posts and prank your co-workers.

This entry was posted on Friday, March 27th, 2009 at 11:33 am.

Share This Link with Others| Conficker April Fools Hype SlashDot | del.ico.us | Digg it | Technorati | Reddit |

Other SecureWorks Blog Categories: Events (2) General (27) Links (7) Phishing (3) Research (99) Spam (1) Trojans (6)