Conficker Worm #3: Prepare for April 1

Chicago (IL) – The third variant of the Conficker is expected to be spreading beginning on April 1. According to security software companies, the worm will send hundreds or thousands of update requests to its 50,000 domains. The result will be forced downloads of malicious code and potentially an increased rise in spam mail. It may be a good idea getting your security software up to date now.

Conficker, like many other worms, is a blended threat which relies on many different attack methods ranging from password-guessing and brute force techniques to infection through flash drives in effort to replicate and then spread over a network.

The most recent versions of the code were responsible for the infection of many networks through peer-to-peer communication. The worm had protective measures which enabled it to duck detection and removal through the disabling of Windows Automatic Updates and Windows Security Center. The virus also blocked access to the web sites of many security vendors rendering many anti-virus programs ineffective. Domains that were targeted by the worm included Southwest Airlines. The company was expected to notice a rise in traffic due to the botnet on March 13, but a spokesman for the company said the worm had no impact on the firm’s website.

The higher level of sophistication established in the new cersion C of the worm stems from the previous versions A and B which propelled malware internationally and infected nearly 12 million computers that were then interconnected in a malicious botnet. The worm has always been capable of patching its own vulnerability on infiltrated machines.

According to security software company CA, Conficker.C is a substantial improvement over the first two versions of the worm and is much more sophisticated in the way it plants itself on user computers. The firm said that this latest version has lost some of its spreading functionality, but may not trigger a reaction from security software as it terminates tools used to monitor and remove Conficker from affected systems. For example, it can terminate Process Explorer.  

The payload does not cause immediate damage to files, but the worm is set for future action when called upon. It modifies and lowers Windows security settings, deletes system restore points, disables certain services such as Windows Defender and Error Reporting Service, terminates 23 security-related services, blocks access to 71 websites of security software developers and is prepared to download arbitrary files from a range of websites.

Pieces of the Conficker code and methodologies utilized are much like those which have been used in botnet worms of the past which have been determined to have been created by the Russian Business Network and others in the Ukraine. This possible origin is only speculation as it has not been determined who is involved in the creation of the code. It is believed that the individuals who developed Conficker are trying to use the botnet in attempt to make a profit through the distribution of malware or spam.

In an attempt to fight the Conficker worm, Microsoft has teamed up with all of the major security companies and domain registrars and registries forming the Conficker Coalition Working Group. The companies collaborating are teaming up on research and investigation in an attempt to figure out who started the worm, and what needs to be done to stop it. Conficker has caused a significant amount of damage and Microsoft recently offered a $250,000 reward for any information which leads to an arrest in the Conficker case.