Microsoft calls next Conficker variant 'manageable'

By Robert Westervelt, News Editor 30 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The next variant of the Conficker/Downadup worm to appear April 1 is causing some to fear infected machines could be ordered to conduct a coordinated denial-of-service attack or silently pilfer sensitive information from computer users. But most security experts agree that an Internet doomsday scenario is unlikely.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Microsoft is urging customers to continue to be vigilant, treating Conficker like any other malware threat a firm could encounter. In a message on its Microsoft Security Response Center blog, the software giant said the next variant uses a different domain algorithm, generating a larger number of possible domains to receive its orders. Security experts have already cracked the next version's algorithm and are working to disrupt the next version of the worm.

Microsoft Conficker/Downadup: Conficker botnet ready to be split, sold: Conficker's peer-to-peer update method allows the owner to sell pieces of the botnet to the highest bidder, experts say. Microsoft offers $250K bounty for Conficker writer: It's not the first time the software giant issued a reward for information leading to the arrest and conviction of a virus writer. Coalition forms to battle Microsoft worm attack, $250K reward offered: A coalition of more than a dozen organizations is working together to fend off the potential damage posed by the Conficker/Downadup worm.

"This new version … does not spread by attacking new systems," said Christopher Budd, security program manager for the MSRC. "Just like we're staying constant and focused in our actions against Conficker, all of us encourage customers to stay constant and focused in their actions."

The worm targeted a Microsoft remote procedure call (RPC) vulnerability, which was patched Oct. 23 in a Microsoft out-of-band release. But it spread quickly, infecting as many as 10 million machines, according to some estimates. Some attributed the worm's fast propagation to slow patching, others said the worm quickly spread on machines in Eastern Europe, Asia and other locations where software piracy is more rampant and machines are less likely to be patched.

The Conficker Working Group, a consortium of independent security researchers, Internet registrars, security vendors and U.S. law enforcement, continue to actively monitor Conficker. When the latest version goes live April 1 it will randomly select about 500 domains from 50,000 domain names generated per day instead of 250 domains it selected with previous versions. It also has a peer-to-peer (P2P) mechanism to update other Conficker infected machines.

Mikko Hypponen, chief research officer at F-Secure Corp. and member of the working group, said he is fairly confident that security experts have the worm under control. Nearly all the domains generated by the latest version of the worm will be blocked, Hypponen said.

"Blindly staring at one date is counter productive," he said. "In most cases the peer to peer mechanism will be fairly limited by corporate firewalls, proxies and gateways."

Security experts can only speculate what the malware writer has in store for infected computers. Last month, researchers said the botnet created by the worm (latest estimates are about 3 million computers) could be broken up into geographic segments and sold off to spammers on the black market.

"It's a mystery and really anybody's guess," Hypponen said of the malware author's motives.

Microsoft also issued a $250,000 bounty for information that leads to the arrest and conviction of the malware authors. Very few clues exist, but law enforcement is focusing on the Ukraine. The first version of Conficker wouldn't infect machines containing the Ukrainian country code, Hypponen said.

The sophisticated code that makes up the worm is leading law enforcement to believe the malware author is highly skilled and possibly a member of an organized crime ring. The domain algorithm used to generate domains was also heavily obfuscated and encrypted. The Conficker Working Group uses a tool to generate domains used by the worm.

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Emerging Information Security Threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary