Conficker expectedly chaos-free as it activates across world
Right on schedule, the latest variant of the Conficker worm awoke Wednesday, querying hundreds of new URLs for instructions on what to do next. But, as most experts predicted, there were no orders to be had, and the estimated millions of machines infected by the malware remain in standby mode.
"About the only thing we've seen is that it has switched over to the DNS name-generation algorithm," Matt Watchinski, senior director of vulnerability research at Sourcefire, told SCMagazineUS.com on Wednesday. "Nobody has pushed out any new content yet. It hasn't [been] given new instructions to go do something."
The Conficker.C version of the worm was programmed to begin, on Wednesday, "phoning home" to 500 websites -- of a possible 50,000 per day -- to receive the instructions. Past versions of the worm only generated 250 unique domains per day.
Anti-virus vendors such as McAfee continued to monitor the situation but reported no major problems on Wednesday. Internet monitoring groups such as the SANS Internet Storm Center, which has volunteers placed all over the world, similarly reported no disruptions.
"Nothing significant to report (yet)," wrote Marcus Sachs, the center's director, on Wednesday morning. "We had several readers contact us over the past 24 hours with some minor impact, but so far no reports of anything newsworthy. Many organizations have been proactive about scanning their systems and finding either unpatched or Conficker-infected computers that were subsequently removed for repair."
In fact, it appears the organizations bearing the most impact from Wednesday's activation date are the groups trying to help end-users avoid infection. Sachs reported that the website for the Microsoft-led Conficker Working Group, a 23-member security industry alliance formed to fight the worm, was at times unavailable due to increased traffic. Also experiencing inadvertent but spotty service disruptions is Insecure.org, which offers the Nmap scanning tool, Sachs said. The tool had been updated to detect for Conficker infections.
But even though Wednesday brought more anti-climax than excitement, security researchers cautioned that the Conficker botnet remains a dangerous threat.
"There are millions of machines that are infected, and the capability is definitely there for attackers to use the network for nefarious purposes," Dan Hubbard, chief technology officer of web security firm Websense, said.
Hubbard warned of the possibility that a new version of the worm could soon arrive on the scene -- this one containing better built-in protections, to prevent against reverse engineering, and new methods of spreading. Meanwhile, Cisco security experts said they expected the worm to attain a peer-to-peer capability that will allow it to communicate with other compromised hosts for instructions, eliminating the need to query domains.