Security researchers are in the dark about what will happen on April 1, when the newest variant of Conficker, 2009’s biggest worm by a mile, begins trying to contact its controllers.
“It’s impossible to know until we see something that has a clear profit motive,” said Joe Stewart, director of malware research at SecureWorks Inc. and a noted botnet researcher.
PCs infected with Conficker.c, the third version of the wormthat first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware.
The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.
That tactic is just one of several designed to make it tough for security researchers to figure out what Conficker’s all about, and more importantly, what it might do.
“We had to trick it into thinking it’s not only getting back the right page, but that it’s getting the April 1 date,” said Stewart, talking about the machines SecureWorks purposefully infected with Conficker.c.
“So far, we haven’t seen any evidence [on those machines] of what it will do April 1,” added Stewart, although that’s to be expected. “It’s not April 1 yet, so they’re not going to put something online, where it might be found.
In fact, it’s almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network.”
Symantec Corp.’s Vincent Weafer, vice president of the company’s security response group, agreed with Stewart that it’s impossible to know ahead of time what stunt Conficker’s controllers will pull next week.
“Nobody has any real idea,” said Weafer. “There’s no indication of what it will do April 1.”
Weafer characterized the Conficker.c update as one to “armor and harden the existing infections,” and noted that the variant, unlike its predecessors, cannot spread to other PCs. “This variant is very defensive-oriented,” said Weafer, “to make it less visible and more resilient.”
Like Weafer, Stewart sees Conficker.c as a move by the worm’s maker or makers to consolidate what’s already infected. “The big question is what’s the end game?” he said. “Is it just as big as they want it to get?”
He also noted Conficker.c’s tilt toward the sophisticated, seconding Weafer’s opinion that the worm’s makers are trying to stump both researchers and antivirus software.
“This is a very curious thing,” Stewart said. “[The hackers] are more patient and more methodical than most. They’re raising the bar, by a lot, in terms of what we have to do to figure out what it does, to block it, to clean it.
“It’s not your typical type of e-crime,” he said.
Conficker, which is also called Downadup by some security companies, first appeared late last year, and originally exploited a Windows vulnerability that Microsoft Corp. patched in an October 2008 emergency update.
In early 2009, the next version — Conficker.b — infected millions of PCs in just a few days.
In January, according to Panda security, the worm infected at least one out of every 16 PCs worldwide, and it may have managed to compromise as many as nearly one in three.
Nearly 6 per cent of the Windows systems scanned with Panda’s antivirus technology were found to be infected with Conficker.
Panda was one of the first security firms to sound an alarm over Conficker, when it raised its security threat level on Jan. 12 as reports of attacks mounted.
Back in January – using data from antivirus scans performed by its consumer-grade security software and by a free online scanning tool that it makes available on its Web site – Panda found 111,379 PCs infected with the worm out of a pool of 2 million machines.
Even that estimate was probably very conservative as it was just a snapshot, noted Ryan Sherstobitoff, chief corporate evangelist at Panda Security in January.
He said the bulk of the infected computers were scanned when their owners took the time to steer their browsers to the company’s online scanner.
“The 6 per cent was of people coming to our site and opting in for the scans. That’s somewhat scary,” said Sherstobitoff.
“If we were actually to look at the [general] population, all the people who don’t have antivirus — or if they do, who haven’t updated definitions — the infection rate might be in the range of 20 per cent to 30 per cent.”
While there has been some disagreement among security researchers about Conficker’s infection volume, there has been little argument about the relative size of the worm attack.
Nearly every researcher has pegged it as the biggest in years.
“This is the biggest in at least six years,” said Sherstobitoff.
Another Panda executive reitereated this.
“[This is] a phenomenon we haven’t seen since the times of the great epidemics of Kournikova or Blaster,” said Luis Corrons, technical director of Panda’s research lab (referring to major worm attacks of 2001 and 2003, respectively).
And things will get worse before they get better, both Corrons and Sherstobitoff predicted.
“This is an epidemic, and the worst may still be to come, as the worm could begin to download more malware onto computers or to spread through other channels,” Corrons said.