By Richard Adhikari TechNewsWorld
03/30/09 12:04 PM PT
On Wednesday, the Conficker worm -- which has writhed its way into possibly millions of computers worldwide -- will open its ears and take orders. What it's going to do is still unclear, but security researchers are working feverishly to mitigate its power. The Honeynet Project, for one, has developed a scanner to check for Conficker's presence on a network.
Crystal Reports - Discover the Latest Innovations. Download a free trial, view real-time 'behind the scenes' functionality, and learn about new Crystal Reports Server trade in options! Learn more.
Corporate network administrators can breathe a little easier as the world braces itself for what could be a massive Internet attack courtesy of the Conficker worm on April 1. International non-profit research organization The Honeynet Project, which works on Internet security, has come up with a new scanner to detect the worm on networks.
Over the weekend, security vendors worked with the project's Tillmann Werner and Felix Leder, who discovered how to detect Conficker on networks, to create an enterprise-class version of the scanner.
Werner and Leder will disclose the technical details of their findings later. However, some information is available on the personal blog of security researcher Dan Kaminsky, who worked with them on the scanner. Conficker, according to Kaminsky, changes what Windows looks like on the network, and this change can be detected remotely, anonymously and very quickly. An admin can literally ask a server whether it's infected and get a straight answer, according to the researcher.
Some vendors have begun incorporating the code developed over the weekend into their products.
The Who and the Whatnow?
Also known as "Downadup," "Kido" and "Confick," Conficker is a variant of the Win/32d worm first seen last year. Conficker infected millions of computers to create what could be the world's largest botnet, although it seems nobody really can provide an exact number of machines infected.
The worm is programmed to listen for orders on April 1, but beyond that, it's very unclear what exactly Conficker will do -- and that's what is worrying everyone. Vincent Weafer, vice president of Symantec Security Response (Nasdaq: SYMC), told TechNewsWorld that, apart from downloading instructions from servers April 1, Conficker probably will do nothing.
Conficker spread so fast that Microsoft (Nasdaq: MSFT) put up a US$250,000 reward worldwide for information leading to the arrest and conviction of the people who launched it on the Internet.
Microsoft also coordinated a group of security vendors, academics and law enforcement agencies to hunt down the creators of the worm. Previously known as the "Conficker Cabal," the group has now changed its name to the more sedate "Conficker Working Group."
Scarier Than Michael Myers
It's not just Conficker's speed that is alarming; the virus continues to mutate, and security experts believe a highly organized, very professional group of cybercriminals with a high degree of technical knowledge is behind the worm.
"What makes this worm insidious is the communications it has used," Mark Parker, senior product manager at antivirus vendor Marshal8e6, told TechNewsWorld. "Before, worms would use IRC (Internet relay chat) or the Web; this one is using encrypted communications."
So far, three variants of the worm have been rolled out: A, B and C. The A variant uses a 512-bit key and an RSA-signed version with a 1,024-bit key; Variant B has a 4,096-bit key. In addition to encryption, Variant C creates an ad hoc peer-to-peer network, which makes it even more difficult to detect and prevent.
On April 1, Variant C is scheduled to contact 50,000 domains and download instructions from 500 of them chosen at random.
Takin' Care of Business
Qualys is among the vendors that worked on the code from the Honeynet Project over the weekend. It will include a remote code scanner that will detect all versions of the Conficker worm. This will be available free Monday.
It's easy enough to protect against Conficker. Microsoft put out a patch to protect against it last year and has since put out more patches to protect against the new variants. All the major antivirus vendors protect fairly well against the worm.
"There's a ton of hype around Conficker, but if you've done what you need to do to protect your network, you're safe," Randy Abrams, director of technical education at security vendor Eset, told TechNewsWorld. "Just focusing on Conficker is like driving to avoid being hit only by Volkswagen Beetles; if you don't pay attention to the other traffic, you're in trouble."
A Week of Memory, Malware, MacBooks and Marble March 27, 2009
It's rumored that carrier Orange is gearing up to sell MacBooks at a discount in return for data service plans. What sort of MacBooks might they be talking about -- big, shiny MacBook Pros, or smaller, as-yet-nonexistent Mac netbooks? Also making news this week was a bit of malware disguising itself as a Mac application. As always, be careful what you download and install.
Related Stories
The Worm Returns: Protecting Yourself From Conficker March 07, 2009
Even though the Storm worm managed to catch a lot of headlines over the last few years, worms as a whole made up only a tiny minority of the Web's worst malware in 2008. Trojans led the pack. Now, however, the Conficker worm has managed to wriggle its way into millions of systems, and companies must take steps to protect themselves from it, writes Top Layer Security's Mike Paquette.
Social Disease: Worm Writhes Its Way Through Facebook March 04, 2009
Security researchers have spotted a worm known as "Koobface" using Facebook as a means of propagation recently. The malware represents a serious threat to those infected. This is just the latest in a series of concerns surrounding Facebook users' security recently.
Microsoft Offers Bounty for Capture of Conficker Creators February 13, 2009
Microsoft says it will shell out $250,000 to anyone who gives the company information leading to the arrest and conviction of the creators of the Conficker worm. The Windows worm has been spreading wildly around the world. It's unclear what Conficker's goal is -- the worm doesn't do much other than spread to other machines, at present -- but that could easily change for the worse.
Related News Alerts
More by Richard Adhikari
Steve Jobs Conquers the Decade - Now What? November 07, 2009
Apple CEO Steve Jobs has been named the chief executive of the decade by Fortune, and it's hard to call that a bad pick, considering the turnaround Apple has undergone since Jobs returned to the helm in the mid-'90s. What's next on the list for a tech leader who's already changed the way we use computers, how we listen to music, and how we use our cellphones?
Verizon Launches a Droid of a Different Color November 06, 2009
Motorola's new handset wasn't the only Droid that Verizon brought to market Friday. HTC's Droid Eris also made its debut. The phone closely resembles the HTC Hero, a handset Sprint started selling last month. The similarity in names for the two Verizon phones is no accident -- Verizon says the name "Droid" will be used as a brand within the carrier's lineup.
There's Something About Droid November 05, 2009
For Verizon, the Droid is an answer to AT&T. For Motorola, it's a path to relevance in the smartphone world. For the Android platform, it's the debut of a brand-new version of the operating system. And for some smartphone shoppers, it could be a tough choice between a Droid and an iPhone.
Headline Feeds
Talkback: 
