The next variant of the Conficker/Downadup worm to appear April 1 is causing some to fear infected machines could be ordered to conduct a coordinated denial-of-service attack or silently pilfer sensitive information from computer users. But most security experts agree that an Internet doomsday scenario is unlikely.
Microsoft is urging customers to continue to be vigilant, treating Conficker like any other malware threat a firm could encounter. In a message on its Microsoft Security Response Center blog, the software giant said the next variant uses a different domain algorithm, generating a larger number of possible domains to receive its orders. Security experts have already cracked the next version's algorithm and are working to disrupt the next version of the worm.
"This new version … does not spread by attacking new systems," said Christopher Budd, security program manager for the MSRC. "Just like we're staying constant and focused in our actions against Conficker, all of us encourage customers to stay constant and focused in their actions."
The worm targeted a Microsoft remote procedure call (RPC) vulnerability, which was patched Oct. 23 in a Microsoft out-of-band release. But it spread quickly, infecting as many as 10 million machines, according to some estimates. Some attributed the worm's fast propagation to slow patching, others said the worm quickly spread on machines in Eastern Europe, Asia and other locations where software piracy is more rampant and machines are less likely to be patched.
The Conficker Working Group, a consortium of independent security researchers, Internet registrars, security vendors and U.S. law enforcement, continue to actively monitor Conficker. When the latest version goes live April 1 it will randomly select about 500 domains from 50,000 domain names generated per day instead of 250 domains it selected with previous versions. It also has a peer-to-peer (P2P) mechanism to update other Conficker infected machines.
Mikko Hypponen, chief research officer at F-Secure Corp. and member of the working group, said he is fairly confident that security experts have the worm under control. Nearly all the domains generated by the latest version of the worm will be blocked, Hypponen said.
"Blindly staring at one date is counter productive," he said. "In most cases the peer to peer mechanism will be fairly limited by corporate firewalls, proxies and gateways."
Security experts can only speculate what the malware writer has in store for infected computers. Last month, researchers said the botnet created by the worm (latest estimates are about 3 million computers) could be broken up into geographic segments and sold off to spammers on the black market.
"It's a mystery and really anybody's guess," Hypponen said of the malware author's motives.
Microsoft also issued a $250,000 bounty for information that leads to the arrest and conviction of the malware authors. Very few clues exist, but law enforcement is focusing on the Ukraine. The first version of Conficker wouldn't infect machines containing the Ukrainian country code, Hypponen said.
The sophisticated code that makes up the worm is leading law enforcement to believe the malware author is highly skilled and possibly a member of an organized crime ring. The domain algorithm used to generate domains was also heavily obfuscated and encrypted. The Conficker Working Group uses a tool to generate domains used by the worm.