No joke -- Conficker worm set to explode on April Fool's Day
Conficker has been the most effective worm in a number of years, with perhaps nine million machines infected worldwide -- but the full impact of its threat has yet to be seen, Ben Greenbaum, senior research manager for Symantec Security Response told SCMagazineUS.com Friday.
With the first two variants of Conficker, malware authors were aiming to propagate the worm further and grow their botnet, he said. But with the latest version -- dubbed W32.Downadup.C -- malware authors will strengthen their hold on infected computers.
That's because when it activates, version C will prevent certain security products and services from running and will block infected computers from connecting with certain security websites, Greenbaum said. The list of security processes that the component attacks include some popular tools, including Wireshark, procmon, TCPView, and RegMon.
In addition, the worm's authors moved from a 250-a-day domain-generation algorithm to a new one that generates 50,000 domain names.
The new variant is designed so zombie machines check in with these websites -- usually about 500 per computer -- each day for further instructions or updates, Don DeBolt, director of threat research at IT management software vendor CA, told SCMagazineUS.com Friday.
When an infected machine "calls home," it can obtain new functionality, he said.
“We expect to see significant traffic on top-level domain servers, and ancillary traffic across the net, as a result of live Conficker installs attempting to call home,” he said.
The purpose of generating and attempting to contact so many URLs is to make it more difficult for security researchers to find the malicious sites that are giving the bots instructions.
“The idea is to hide a needle in a haystack,” DeBolt said.
The new version of the worm is considered a response to the successful cracking of the W32.Downadup.B worm. Last month, Microsoft formed a coalition, nicknamed the Conficker Cabal, with technology industry leaders and academia to fight the Conficker worm. The coalition worked with the Internet Corporation for Assigned Names and Numbers (ICANN) to preregister the domain names before the Conficker authors could do so.
With the new variant, malware authors are trying to make it more difficult to preregister all the potential domain names, Greenbaum said.
Security researchers said that so far, the purpose of the worm has been to establish a botnet, but its true purpose has yet to be determined.
“The end game of the malware authors is still in question,” DeBolt said.
It could potentially be used for denial-of-service attacks, to harvest personally identifiable information from victims or to send spam, researchers said.
“The potential impact is quite large,” Greenbaum said. “Even if every infected machine is instructed to download a keylogger and capture passwords, that's quite an impact itself. It's just a matter of what they choose to do with the rather large installation base.”