Security Sleuths Work Overtime to Confound Conficker

Corporate network administrators can breathe a little easier as the world braces itself for what could be a massive Internet attack courtesy of the Conficker worm on April 1. International non-profit research organization The Honeynet Project, which works on Internet security, has come up with a new scanner to detect the worm on networks.

Over the weekend, security vendors worked with the project’s Tillmann Werner and Felix Leder, who discovered how to detect Conficker on networks, to create an enterprise-class version of the scanner.

Werner and Leder will disclose the technical details of their findings later. However, some information is available on the personal blog of security researcher Dan Kaminsky, who worked with them on the scanner. Conficker, according to Kaminsky, changes what Windows looks like on the network, and this change can be detected remotely, anonymously and very quickly. An admin can literally ask a server whether it’s infected and get a straight answer, according to the researcher.

Some vendors have begun incorporating the code developed over the weekend into their products.

The Who and the Whatnow?

Also known as “Downadup,” “Kido” and “Confick,” Conficker is a variant of the Win/32d worm first seen last year. Conficker infected millions of computers to create what could be the world’s largest botnet, although it seems nobody really can provide an exact number of machines infected.

The worm is programmed to listen for orders on April 1, but beyond that, it’s very unclear what exactly Conficker will do — and that’s what is worrying everyone. Vincent Weafer, vice president of Symantec Security Response, told TechNewsWorld that, apart from downloading instructions from servers April 1, Conficker probably will do nothing.

Conficker spread so fast that Microsoft put up a US$250,000 reward worldwide for information leading to the arrest and conviction of the people who launched it on the Internet.

Microsoft also coordinated a group of security vendors, academics and law enforcement agencies to hunt down the creators of the worm. Previously known as the “Conficker Cabal,” the group has now changed its name to the more sedate “Conficker Working Group.”

Scarier Than Michael Myers

It’s not just Conficker’s speed that is alarming; the virus continues to mutate, and security experts believe a highly organized, very professional group of cybercriminals with a high degree of technical knowledge is behind the worm.

“What makes this worm insidious is the communications it has used,” Mark Parker, senior product manager at antivirus vendor Marshal8e6, told TechNewsWorld. “Before, worms would use IRC (Internet relay chat) or the Web; this one is using encrypted communications.”

So far, three variants of the worm have been rolled out: A, B and C. The A variant uses a 512-bit key and an RSA-signed version with a 1,024-bit key; Variant B has a 4,096-bit key. In addition to encryption, Variant C creates an ad hoc peer-to-peer network, which makes it even more difficult to detect and prevent.

On April 1, Variant C is scheduled to contact 50,000 domains and download instructions from 500 of them chosen at random.

Takin’ Care of Business

Qualys is among the vendors that worked on the code from the Honeynet Project over the weekend. It will include a remote code scanner that will detect all versions of the Conficker worm. This will be available free Monday.

Others are Tenable, McAfee, Nman, and Ncircle, according to Kaminsky’s blog. Microsoft also has put up information on its site, and more information is available on the SANS Internet Storm Center site.

It’s easy enough to protect against Conficker. Microsoft put out a patch to protect against it last year and has since put out more patches to protect against the new variants. All the major antivirus vendors protect fairly well against the worm.

“There’s a ton of hype around Conficker, but if you’ve done what you need to do to protect your network, you’re safe,” Randy Abrams, director of technical education at security vendor Eset, told TechNewsWorld. “Just focusing on Conficker is like driving to avoid being hit only by Volkswagen Beetles; if you don’t pay attention to the other traffic, you’re in trouble.”

1 Comment


    I AM AM Mac user. Yes, I do have a few PCs and more Unix and Linux machines, but the Windoz box that was last on the Internet was about 1999.

    We do have a few Unix machines, and more than a few Linux machines, but they are pretty immune too.

    Still, the general population should just go to Mac. Commercial and business users may need Linux or even Unix, but not WINDOZ, for God’s sake!

    I also have a Paralles partition on my laptop (the ONLY Windoz computer that can get on the Internet in the entire plant) that booted Windoz a bit over two years ago.

    WHY IN THE WORLD DO PEOPLE PUT UP WITH THIS CRAP? Why would anyone go through all the crap that you must to protect a Windoz machine when NOTHING is required on a Mac?

    Yes, there is evil software for the Mac, but if you don’t give your users Admin access, they cannot load it.

    Those with Admin access have to request the evil software, download it, dismiss the warning, and enter their Admin password. To download evil software one would have to be an absolute idiot.

    In an office environment, there is NOTHING that cannot be done on the Mac, using Mac:Office (not great as it is expensive and still Micro$oft), iWork (pretty darned good, Office compatible and $79 or one user or $99 for five), or Open Office (FREE, and darned good, and totally M$ Office compatible).

    WHY do Windoz users put up with this crap? What a waste of time and MONEY!

    It makes no sense at all!

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels