April 1, 2009

Conficker Steps Up, But With Muted Effects

The dreaded Conficker Internet worm became more aggressive in communicating with its creators on Wednesday, as the malicious code reached the April 1st trigger date upon which it was set to modify itself to become harder to stop. 

However, wary computer security experts seem correct in their predictions that the effects would be subdued.

Although the estimated 3 million to 12 million computers infected by Conficker were instructed to accelerate attempts to "phone home" for commands, that appeared to be the only sign of life from the worm.

As expected, the malicious worm evolved from East to West, beginning in the time zones first to greet April Fool's Day.

Experts tracking Internet traffic in Asia and Europe after clocks struck April 1st said there was no indication that the worm was doing anything other than modifying itself to be more difficult to exterminate.

Conficker had been programmed to access 250 websites per day to download commands from its creators, according to experts with Microsoft.  However, on Wednesday it began generating daily lists of 50,000 sites, and reaching out at random to 500 of those.

"One thing we're not seeing is any mass malicious activity," McAfee analyst Joris Evers told the Associated Press.

"The Internet today is working just as well as it was working yesterday."

Other experts agreed.

"Planes are not going to fall out of the sky and the Internet is not going to melt down," said threat analyst Paul Ferguson of Trend Micro computer security firm in an interview with AFP.

"The big mystery is what those behind Conficker are going to do. When they have this many machines under their control it is kind of scary. With a click of a mouse they could get thousands of machines to do whatever they want," he said.

Conficker is self-replicating program which harnesses networks of computers that haven't updated security patches for Windows RPC Server Service.  It can infect machines via the Internet or by hiding on USB memory sticks.  The malware could then be triggered to steal data, or to relinquish control of infected computers over to hackers who use the zombie machines to create "botnets".

A Microsoft task force has been working to shut down the worm, and the company has offered a $250,000 reward for information about those responsible for the threat. Last October, the company issued a software patch to protect PCs from vulnerability to the worm, but not everyone applied the patch.

Analysts say the worm's creators likely want to use their enormous botnet to distribute spam or conduct other cybercrimes, not to bring down the Internet.  For that reason, Conficker's creators will likely wait to send any commands, they say.

"Everyone who is fighting Conficker is on high alert," Evers said.

Security firms tracking Conficker have been mostly successful in blocking infected machines from communicating with the worm's creators.

Since Conficker blocks Microsoft's Web site as well as those of most antivirus companies, inability to access these sites can give users a telltale sign that their computers may be infected.  As a workaround, computer owners can have someone else e-mail them a Conficker removal tool.

Computer security experts warn that the Conficker threat will remain even if April 1st passes without incident.

"I hope April 1st comes and goes with no trouble. But, there is this loaded pistol looming large out there even if no one has pulled the trigger," said Ferguson.

Conficker was first detected in November 2008, and some cybercriminals are taking advantage of the hype by promising cures to lure users to Web sites booby-trapped with malicious code.

The FBI said it is working with the Department of Homeland Security and other agencies to "identify and mitigate" the threat.

"The public is once again reminded to employ strong security measures on their computers," FBI Cyber Division assistant director Shawn Henry said in a press release about the matter.

"That includes the installation of the latest anti-virus software and having a firewall in place...Opening, responding to, or clicking on attachments contained in unsolicited e-mail is particularly harmful and should be avoided."