Friday, April 10, 2009

Conficker Alive and Well: and Quietly Active - or a Vast Conspiracy?

"More 'scareware' - no kidding, right?"
ZDNet Education, Christopher Dawson blog, ZDNet (April 9, 2009)

"It's a good thing we have Microsoft around to tell us that there is more scareware floating about the web. I published a post on AV360 early in March, but this is hardly the only incarnation of so-called 'rogue security software.'

"The idea behind scareware is to scare users into registering software (and usually paying for it) to protect themselves from malware infections...."

"...Conficker worm has made people hypersensitive to the idea of malware on their computers and more than happy to believe it when apparent security software tells them they’re infected...."

I suppose Conficker could be part of a vast Microsoft conspiracy to wrest millions from the bleeding hands of innocent computer users. But I've read too many conspiracy theories over the decades to take any of them very seriously.

Not that there isn't a little marketing involved.

But when Conficker made the news, I checked my computer: using information from the Microsoft website and elsewhere. My device was clean.

Later, I found that I did have a malware issue - zlob. I'm still dealing with fallout from that, but I'm quite convinced that zlob really is there. Partly because my browser and the Twitter website were (apparently) in a conspiracy to send me to a malware farm in the Netherlands.

Reality Check - Malware Isn't Everywhere, But it Does Exist

And Conficker appears to be a busy little bit of malware. Now, articles from sources that, for true believers, are either dupes or stooges in the vast Microsoft conspiracy.

"Stealthy New Conficker Variant Will Turn Itself Off" (April 9, 2009)

"According to a blog post from Trend Micro advanced threats researcher Ivan Macalintal, the Conficker worm began updating itself Tuesday night, downloading a 119 Kbyte update into the 'temp' folder of an infected PC. The security vendor also noted a possible link to Waledac.A, another worm which allows remote communication and data stealing.

"Conficker has also actively begun communicating via its peer-to-peer network. On Trend Micro's machine, the worm connected to an IP hosted in Korea, downloading the additional file, which Trend Micro chose to identify as a new variant, WORM_DOWNAD.E., for the worm's alternate name, Downadup...."

The article has links to blog posts and articles it cites, which makes it a trifle more useful than some.

Here's an interesting paragraph, from several points of view:

"...Conficker has conservatively spread to about 3 million PCs, according to the Conficker Working Group, an industry consortium dedicated to preventing the spread of the worm. Infected networks have included the U.K. House of Commons, among others. In all, however, an estimate by the OpenDNS service put the infection rate highest in Vietnam and Brazil, with less than five percent of U.S. machines affected...."

A 'gullible dupe' like me1 might think that Conficker was a real issue - and that the U.K. House of Commons, Vietnam and Brazil are not as active as American users (in general) are.

Or, I could let my imagination get a running start and then leap to the conclusion that Conficker is a vast secret conspiracy by the CIA, the FBI, and the lizard people, to gain control of the world's computers and enslave an unsuspecting populace with subliminal messages!!!

Conficker is Scary, in a Way

I'm no conspiracy theorist - not a serious one, anyway. I do enjoy putting together conspiracy theories to explain current events. Preferably involving Elvis, space aliens, JFK, and sometimes Marilyn Monroe.

About Conficker, though: I'm a tad serious.

The April 1, 2009, go-date - and the utter lack of trouble then - might indicate that Conficker is a comparatively harmless prank by someone with a sophomoric sense of humor. That could be true, although that explanation doesn't explain Conficker's current activity.
If I was a Malware Coder
If I was designing a particularly nasty bit of malware, I might realize that it would most likely be discovered before it spread far enough for maximum effect and:
  • Create a 'scout package' with no malicious code
    • An action date that was some widely-known and innocuous date, like
      • St Patrick's Day
      • April Fools' day
  • Have the 'scout package' download instructions on or - better - after the action date
    • Forming a sort of network of infected machines
  • Observe media and user reactions
  • Wait until any excitement had waned
  • Send a signal through the malware's network to pick up malicious code
Depending on what I wanted, the malicious code could be anything from sending birthday greetings to the American president, to having a crack at shutting down the North American power grid - or the Internet.

Conficker could be simply a practical joke. Or, it might not be.

"Malicious Software Is Revised"
The New York Times (April 9, 2009)

"The riddle of a malicious software program that has spread throughout the Internet deepened Thursday as security researchers examined a new version of the software that they said made it more difficult to eradicate the program.

"The program, known as Conficker, targets versions of Microsoft's Windows operating system and has now been distributed in four versions, computer security specialists said...."

Assuming that The New York Times (a) knows what it's writing about and (b) isn't in on some conspiracy, this indicates that we may not have heard the last of Conficker - and that there may be a real problem with the malware.

"Conficker Worm Arms Itself To Steal And Spam"
Information Week (April 9, 2009)

"The new variant, designated Conficker.E, is arriving through the worm's P2P connectivity."

"The Conficker/Downadup worm is on the move again. After a relatively uneventful April 1, on which the worm began widening the number of Web sites that it scanned for instructions, a new Conficker variant has emerged and appears to be preparing to spam and steal information.

"Symantec (NSDQ: SYMC) said the new Conficker/Downadup variant .E is designed to update version .C rather than the first-generation .A variant...."

" 'In actuality, the primary objective is to update .C with the new features discussed during the briefing and drop Waledac binary onto the .C infected machines,' a company spokesperson said in an e-mail.

"Not every security company agrees the malicious code being detected belongs to Conficker. Bkis, a security research firm based in Vietnam, said Thursday that the malware Trend Micro identified is associated with the Waledac worm...."

This article is slightly more technical - and detailed - than some. It could be worth reading.

"Conficker Worm Continues to Baffle the Experts"
Business Week (April 9, 2009)

"The Conficker worm, which did not bring the Internet to its knees or do much of anything else on April 1, continues to evolve in ways that have security experts scratching their heads about what may be the ultimate goals of the unknown bad guys behind the malware.

"On April 9, both Symantec and Trend Micro issued updates noting new activity. Symantec (no link available) said that the latest modifications to the worm, which it calls W32.Downadup, include instructions to disable itself on May 3. It also says infected machines are contacting high profile Web sites, but all they are doing is checking the current date and neither uploading nor downloading any data. Symantec researchers say they have discovered a possible link to the spam-spewing bot computers controlled by the W32.Waledac worm.

"Trend Micro issued a somewhat more alarmist report, saying it has found indications ' that cybercriminals behind the notorious Conficker worm may finally be gearing up for more serious attacks..' But the only support Trend Micro gave for the claim was the observation of some increased peer-to-peer communications between infected machines and a system 'believed to be hosted in Korea.'..."

There is a link to Trend Micro in this article - and Business Week gives detail that didn't make it into some other Conficker coverage.

"Conficker Raises Questions on the Future of Cyber-Security"
Government Technology (April 9, 2009)

"Over the past week or so, the Conficker worm has raised more than a few security questions. When will it appear? What will it do? How do you protect against it?

"A new breed of virus, Conficker seemingly has the ability to infect computers by simply inhabiting a Web site or turning up in an e-mail inbox. Users were instructed to install an emergency patch released by Microsoft which would prevent the virus from exploiting the buffer overflow vulnerability.

"But this new worm has brought the issue of how we deal with security to the forefront. Must we always have to come up with patches, fixes and other forms of reactive security...."

This article does bring up an interesting point: "...Must we always have to come up with patches, fixes and other forms of reactive security...."?

Conficker and its Cousins are Here: And Real

I'm no fan of panicky over-reaction to anything, including malware. But I don't think it's a good idea to imagine that news of malware issues is part of a devious marketing strategy, either.

Conficker and it's near relations seems to be a real cybersecurity issue: and one that bears calm but steady watching.

Related posts: News and views:

Microsoft's Solution to the Conficker Worm

"Protect yourself from the Conficker computer worm"
Microsoft (April 8, 2009)

"The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.

"If you are an IT professional, please visit Conficker Worm: Help Protect Windows from Conficker.

"On This Page
"Is my computer infected with the Conficker worm?..."

Of course, if you're convinced that Conficker is a Microsoft plot, you shouldn't follow that link.
1 I was born in the Truman administration, and spent my teens in the sixties. My vocabulary has vestiges of the commie conspiracies/flower children era.

No comments:

Unique, innovative candles

Visit us online:
Spiral Light CandleFind a Retailer
Spiral Light Candle online store

Pinterest: From the Man Behind the Lemming

Top 10 Most-Viewed Posts

Today's News! Some of it, anyway

Actually, some of yesterday's news may be here. Or maybe last week's.
The software and science stuff might still be interesting, though. Or not.
The Lemming thinks it's interesting: Your experience may vary.
("Following" list moved here, after Blogger changed formats)

Who Follows the Lemming?


Family Blogs - Blog Catalog Blog Directory