Is Conficker overhyped?
Press coverage has overhyped the issue of Conficker, and although it is dangerous, the security community has known about this worm since the first variant, claimed Rick Howard, director of security intelligence at iDefense.
“The mitigation recommendations are the same for this fourth variant as they were for the first," Howard said. "Variants of the Conficker worm have been spreading since November of last year and the worm has infected millions of systems, but does not yet have a clear purpose."
The attacker recently released a major update to Conficker, known as Conficker.C. This variant contains two major new features. First, the domain generation algorithm now creates 50,000 random domains, and attempts to contact 500 of them each day. It is completely impractical for the ‘Conficker Cabal,' a group of security researchers, to lock down all 50,000 domains generated each day.
“The attacker will not register all of these domains, but will have a much better chance of successfully registering at least one that infected nodes will contact. Given that Conficker.C nodes will only contact 500 of the domains each day, it is likely that they will not reach the Command and Control (C&C) server on the first day. It will likely be days or weeks before all nodes can be properly updated to the latest version.”
Howard claimed that additions to the code include a P2P file sharing ability and a change to the algorithm for the domain names, so the additional functionalities will spread it further and make it harder to track.
“The code has evolved and new functionalities have been added that makes it harder to block, but the reason everyone is concerned is because they don't know what it will do. The attacker probably limited the total domains to contact to avoid generating too much traffic, which could bring attention to the infected computer by security administrators.
“The combination of these two update mechanisms will help solidify the attacker's control over the Conficker network, which the cabal has partially wrestled away. What the attacker does with the network after making updates is unclear. What is clear is that the threat of Conficker is nothing new, and the precautions responsible users and organizations have already deployed will protect them from the latest Conficker.C, despite the updates that will go live on April Fool's Day,” said Howard.