Skip to Main Content

What Will Conficker Bring on April 1?

Conficker has become the boogeyman of the security industry over the last year. The latest variant of the worm, Conficker.C, is programmed to do something on April 1. But what exactly will happen? The scary thing is, no one can say for sure

By PCMag Staff
March 26, 2009
Conficker has become the boogeyman of the security industry over the last year. The latest variant of the worm, Conficker.C, is programmed to do something on April 1. But what exactly will happen? The scary thing is, no one can say for sure.

The "A" and especially "B" variants of this worm (also known as Downadup) have built a botnet estimated at several million PCs, almost exclusively through exploitation of the MS08-067 vulnerability in Windows. Conficker added some innovative techniques to update itself though a large number of domains, the names of which were algorithmically generated by the program. Because the names were deterministic, it was possible for the DNS authorities (VeriSign, et al) to block the names. With few exceptions, the worm has been unable to spread since that point several weeks ago.

Then the "C" variant came along. It adds a number of defensive measures designed to protect itself from detection and removal and it ratchets up the number of domains it can check for updates. As this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day." Thus "C" should generate less traffic than the earlier versions, especially in as much as it filters the IP addresses for these domains to make them work better and avoid detection.

Avoiding detection is a major theme with Conficker.C. It's not the first malware to try to defend itself in-memory against security software and diagnostic tools, but "C" does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center. My impression from talking to anti-malware vendors is that they can still detect it and I'm inclined to believe them; after all, there is just a few variants of Conficker and they're well understood.

Some security experts such as Eset are urging you to back up in advance of April 1 and to make sure that your security software is working properly. Of course (and they say this too) these are things you should do in any event. But make sure that the update mechanisms for Windows and your anti-malware are actually occurring because Conficker can turn them off.

But the big news with "C" is that the code is scheduled to come alive on April 1 and start contacting the 50,000 domains and download something. What will they download? What will it make the bots do? Honestly, nobody knows. This is the great mystery.

Another question you might ask is if the DNS powers that be stopped the propagation mechanism for Conficker "A" and "B," how did "C" spread? Perhaps it's not that widespread after all? I asked Richard Wang, manager of SophosLabs U.S. about this. He stresses that it's hard to know for sure how much Conficker.C is out there because the malware is laying low until April 1. Among the Sophos customers, "C" represents 6 percent of the Conficker population, but it's not clear if that's representative of the world overall. It is possible for "C" to spread in part because there is a direct push mechanism in "B," allowing an outside system to contact it and provide a domain name from which it should download an update, presumably "C".

Conficker is really sophisticated as malware goes. It's clear that its authors are smart people and perhaps that's what's got security people worried. But the only rational way to approach this is to do the things you know you need to do anyway and then not get hung up on it. Remember, there's a very good chance that on April 1 nothing much will happen.

Originally posted on the PCMag.com security blog, Security Watch.