Conficker worm believed to have originated from China

Chicago (IL) – The Conficker worm has been widely discussed in recent weeks, and the $250,000 bounty has had many on the hunt for the virus’s origination. Microsoft offered the $250,000 for anyone who could provide information which leads to an arrest in the Conficker case.

On Monday, individuals at BKIS — a Vietnamese security firm which makes the BKAV antivirus software — announced that they had uncovered clues which lead to the belief that the virus originated in China. Previously, it was believed that the origination of the virus was either Europe or Russia (due to certain IP address ranges which trace back to Russia being ignored by the virus).

Following further analysis of the virus’s coding style however, the firm discovered that Conficker’s code is eerily similar to that of the Nimda virus, which seriously infected e-mail and the Web in 2001. It was during that time period BKIS determined the Nimda virus had its roots in China — though this belief was never verified.

Even though this news would be a start for authorities, it doesn’t do much in terms of bringing them closer to finding the Conficker’s culprit; however, it will help in narrowing down where to block the return of the virus.

Conficker, like many other worms, is a blended threat relying on many different attack methods — ranging from password-guessing and brute force techniques to infection through flash drives in effort to replicate and then spread over a network.

The most recent versions of the code were responsible for the infection of many networks through peer-to-peer communication. The worm had protective measures which enabled it to duck detection and removal through the disabling of Windows Automatic Updates and Windows Security Center. The virus also blocked access to the web sites of many security vendors — rendering many anti-virus programs which had an effective removal protocol ineffective.

Domains that were targeted by the worm included Southwest Airlines. The company was expected to notice a rise in traffic due to the botnet on March 13, but a spokesman for the company said the worm had no impact on the firm’s website.

The higher level of sophistication established in the new worm version C stems from the previous versions A and B which propelled malware internationally and infected nearly 12 million computers that were then interconnected into a malicious botnet. The worm has always been capable of patching its own vulnerability on infiltrated machines.

According to security software company CA, Conficker.C is a substantial improvement over the first two versions of the worm and is much more sophisticated in the way it plants itself on user computers. The firm said this latest version has lost some of its spreading functionality, but may not trigger a reaction from security software as it terminates tools used to monitor and remove Conficker from affected systems. For example, it can terminate Process Explorer (a system monitoring utility).

The virus payload does not cause immediate damage to files, but the worm is set for future action when called upon (by a remote machine sending it instructions). It is very pervasive however, as it modifies and lowers Windows security settings, deletes system restore points, disables certain services such as Windows Defender and Error Reporting Service, terminates 23 security-related services, blocks access to 71 websites of security software developers and is prepared to download arbitrary files from a range of websites.

The worm is programmed and set up to update itself from randomly generated domains. The third variant of the Conficker is expected to be spreading beginning on April 1. According to security software companies, the worm will send hundreds or thousands of update requests to its 50,000 domains. The result will be forced downloads of malicious code and potentially an increased rise in spam email. The owner of the virus only has to utilize one of the domains to host the update, making it nearly impossible for authorities to track the update source.

To date Microsoft has been able to contain about 13 percent of the domains, and this is not a reassuring number.

The virus update can only occur on computers which are already infected with one of the Conficker variants, and the device must be connected to the Internet for an update to take place.

Computer users are urged to apply the Microsoft Patch and update their antivirus and other security software. If you are utilizing a Windows OS it is crucial that you apply a Microsoft update for the AutoRun feature in Windows, which was released in Februrary.

If your device has become infected, Microsoft also has a Conficker Removal Tool.