Conficker an April Fool's joke? Maybe not
Summary: Just because the Conficker worm didn't launch an attack on April Fools Day doesn't mean it still isn't a threat. But it did make the world painfully aware of the penalty for not keeping its patches up to date.
The worm, also known as Downadup, has infected between one million and 15 million machines, according to some estimates. The worm shuts down security services, blocks computers from connecting to security websites and downloads a Trojan.
The Conficker C variant was programmed to connect infected machines to 50,000 domains on Wednesday. The worm was then expected to deliver a malware update to the computers. However, the anticipated threat has failed to materialize.
-
See also:
- Conficker tracking - all's quiet, so far
- The 'no bull' guide to Conficker
- Googling for Conficker clean-up information? Be careful
- Researchers make Conficker breakthrough
- CBS 60 Minutes covers Conficker, malware epidemic
F-Secure security specialist Patrik Runald wrote on the F-Secure blog that while some infected machines had attempted to contact domains specified by the worm, no update had been sent.
"So what's going on? So far — nothing," Runald wrote on Wednesday. "Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys)."
Paul Ferguson, an advanced threats researcher at Trend Micro, told CNET News on Wednesday that the security company had seen some effect in Asia. "We've seen activity in honeypot machines in Asia... They're generating the 50,000 list of (potential) domains to contact," said Ferguson.
Researcher Holly Stewart, writing on the IBM ISS Frequency X blog, said the 1 April date seemed to have been a joke on the security companies.
"April Fool's does certainly seem to have been a joke on us," wrote Stewart. "We knew it might happen... but we had to be on alert anyway. Hey, that's why we're here, right? I guess the point is that even though nothing happened today, I think, at least, that something is going to happen eventually."
Stewart warned of the potential for the infected machines to be made into a network of compromised machines, or botnet, as a money-making venture. Botnets can be used for purposes such as sending spam, and performing denial-of-service and brute-force attacks.
"It's obvious that the development of Conficker has cost someone a lot of money," wrote Stewart. "The advanced technology and sophisticated obfuscation that we've witnessed is fairly unprecedented. It would really, really surprise me if no one decides to cash in on that hefty investment."
This article was originally posted on ZDNetUK.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
If it were mine
Whoever did it is going to get theirs at some point and I am sure they wont like it. The longer it goes, the worse the return on investment will end up being as the penalty will likely be very high.
From the tech side I am interested in the ability to morph and still not get caught? Update s tool that they think is locked down to find out that it has been updated to reflect many more sites. How did the creator detect the block? Why wasn't the update tracked when the worm was updated? Where is the information on the current investigation? If they can't stop it, then they should share more of the in-depth steps that are being taken and enroll the assistance of the open-source mentality and enlist everyone interested in stopping this worm.