April 1, each year, is the date which triggers various computer viruses, worms and other malware.  This year, the worm that has the Internet abuzz is Conficker (also known as Downadup).

According to ComputerWorld:

Security researchers are in the dark about what will happen next week when the newest variant of Conficker, 2009′s biggest worm by a mile, begins trying to contact its controllers.

“It’s impossible to know until we see something that has a clear profit motive,” said Joe Stewart, director of malware research at SecureWorks Inc. and a noted botnet researcher.

PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.

That tactic is just one of several designed to make it tough for security researchers to figure out what Conficker’s all about, and more importantly, what it might do. “We had to trick it into thinking it’s not only getting back the right page, but that it’s getting the April 1 date,” said Stewart, talking about the machines SecureWorks purposefully infected with Conficker.c.

“So far, we haven’t seen any evidence [on those machines] of what it will do April 1,” added Stewart, although that’s to be expected. “It’s not April 1 yet, so they’re not going to put something online, where it might be found. In fact, it’s almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network.”

Symantec Corp.’s Vincent Weafer, vice president of the company’s security response group, agreed with Stewart that it’s impossible to know ahead of time what stunt Conficker’s controllers will pull next week. “Nobody has any real idea,” said Weafer. “There’s no indication of what it will do April 1.”

Weafer characterized the Conficker.c update as one to “armor and harden the existing infections,” and noted that the variant, unlike its predecessors, cannot spread to other PCs. “This variant is very defensive-oriented,” said Weafer, “to make it less visible and more resilient.”

Like Weafer, Stewart sees Conficker.c as a move by the worm’s maker or makers to consolidate what’s already infected. “The big question is what’s the end game?” he said. “Is it just as big as they want it to get?”

He also noted Conficker.c’s tilt toward the sophisticated, seconding Weafer’s opinion that the worm’s makers are trying to stump both researchers and antivirus software.

“This is a very curious thing,” Stewart said. “[The hackers] are more patient and more methodical than most. They’re raising the bar, by a lot, in terms of what we have to do to figure out what it does, to block it, to clean it.

“It’s not your typical type of e-crime,” he said.

Conficker, which is also called Downadup by some security companies, first appeared late last year, and originally exploited a Windows vulnerability that Microsoft Corp. patched in an October 2008 emergency update. In early 2009, the next version — Conficker.b — infected millions of PCs in just a few days.

F-Secure, based in Helsinki, Finland, and with 20 years of experience in the Internet security business and recognized a a global leader in the field, says that there is no need for panic:

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?
A: The Conficker aka Downadup worm is going to change it’s operation a bit, but that’s unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st?
A: So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there?
A: Yes, and the latest version is not the most common. Most of the infected machines are infected with the B variant, which became widespread in early January. With B variant, nothing happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st?
A: No.

Q: I’m running a Mac, is something going to happen to me?
A: No.

Q: So… this means that the attackers could use this download channel to run any program on all the machines?
A: On all the machines that are infected with the latest version of the worm, yes.

Q: But what’s this peer-to-peer functionality I’ve heard about?
A: The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.

Q: But doesn’t that mean that if the bad guys wanted to run something on those machines, they don’t need to wait for April 1st?
A: Yes! Which is another reason why it’s unlikely anything major will happen on April 1st.

Q: Is there going to be media hype?
A: Oh yes. Like there always is when a widespread worm has a date trigger. Think cases like Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).

Q: But in those cases nothing much happened even though everybody expected something to happen!
A: Exactly.

Q: So, should I keep my PC shut down on April 1st?
A: No. You should make sure it’s clean before April 1st.

Q: Can I change the date on my machine to protect me?
A: No. While the worm uses the local system time for certain parts of its update functionality it doesn’t exclusively rely on that.

Q: I’m confused. How can you know beforehand that there will be a global virus attack on April 1st? There must be a conspiracy here!
A: Yes, you’re confused. There is not going to be a “global virus attack”. The machines that are already infected might do something new on April 1st. We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do.

Q: Would the downloaded program execute with admin privileges?
A: Yes, with local admin rights. Which is pretty bad.

Q: And they could download that program not just on April 1st but also on any day after that?
A: Correct. So there’s no reason why they wouldn’t do it on, say, April 5th instead of April 1st.

Q: Ok, they could run any program. To do what?
A: We don’t know what they are planning to do, if anything. Of course, they could steal your data, send spam, do DDoS, et cetera. But we don’t know.

Q: They? Who are they? Who’s behind this worm?
A: We don’t know that either. But they seem to be pretty professional in what they do.

Q: Professional? Is it true that Conficker is using the MD6 hash algorithm?
A: Yes. This was probably one of the first real-world cases where this new algorithm was used.

Q: Why can’t you just infect a PC, set the clock to April 1st and see what happens?
A: That’s not the way it works. The worm connects to certain websites to get the time-of-day.

Q: Oh yeah? Then shut down the websites where it gets the time-of-day and the problem will go away!
A: Can’t. These are websites like google.com, yahoo.com and facebook.com.

Q: But surely you could spoof google.com in the lab to get a honeypot machine to connect to a download site today!
A: Sure. And the download sites do not have anything to download, today. They might, on April 1st. Or they might not.

Q: Now I’m worried. How do I know if I’m infected?
A: Try to surf to www.f-secure.com. If you can’t reach our website you might be infected, as Downadup/Conficker blocks access to security vendor’s websites. Don’t tell anybody, but users who can’t access f-secure.com because of this can surf to www.fsecure.com instead.

Q: Where does the name “Conficker” come from?
A: Conficker is an anagram of sorts from trafficconverter – a website to which the first variant was connecting.

Q: Why does the worm have two names – Downadup and Conficker?
A: It was found at about the same time by multiple security companies and therefore got multiple names. Today most companies use the name Conficker. There’s further confusion about the variant letters among vendors. We’re all sorry for that.

Q: How many computers are currently infected by Downadup/Conficker?
A: About 1-2 million. How many of those are infected with the latest version? We don’t have an exact count.

Q: How is the industry reacting to all this?
A: We reacted by setting up the Conficker Working Group. Members include security vendors (including us), registrars, research units and so on.

Q: I want more technical details on the worm.
A: Sure. Here’s our description, and here’s SRI’s excellent writeup.

Q: When was the first variant of Downadup/Conficker discovered?
A: It was found on November 20, 2008.

Q: More than four months ago? I want a time line on what happened when.
A: Byron Acohido has one.

Q: Is this all just an April Fools joke?
A: No, it’s not. And although we don’t think anything will happen on this particular date, Conficker is nothing to laugh about. The gang behind this is serious and we should not underestimate them. The fact that we don’t know for real what they are really after just makes it all a bigger mystery.

So, what can you do to protect yourself, just in case?  Here’s what I recommend:

• Download and run F-Secure’s Easy Clean tool, which is an easy-to-use and quick tool to remove the most common viruses, worms and other malware currently in the wild.  When run, it will do a quick check for rootkit symptoms on the system and proceed with scanning and removing infections.
• Make sure your anti-virus software is up-to-date, and do a complete scan of your system before March 31.  If you don’t have anti-virus software (shame on you!), you need to get some, immediately.  You don’t need to spend a bunch of money on a commercial product.  I recommend either avast! Home Edition or AVG Anti-Virus Free Edition 8.5, both of which are free for home and non-commercial use.

Related articles by Zemanta

• Microsoft offers 250000 bounty for Conficker creators (telegraph.co.uk)
• The ‘Conficker/Downadup’ Worm Could Be No Joke this April 1 (enduserblog.com)