By Luis Corrons, head of PandaLabs
Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st. It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious of the threats they face. But I also want to say that perhaps it does more harm than good.
Let’s go back over the issues that are flying around the world. Regarding the damn date: will Conficker be activated on the first of April? No. But it will do something that day, won’t it? Yes. Conficker is a malware variant that creates random URLs every day. The PCs infected with it check if there is any new available version to download. It does so 250 times a day. What will happen then on the first of April?
The last variant creates 50,000 new URLs. And although we can’t know if any of them will host an update of the malware, its author could quite easily host a new version or even some other type of malware. If any URL contains an update of the worm, which actions will the new variant carry out? We don’t know — no one, in fact, has been able to figure out the final aim of Conficker. What we do remember from previous infections is that the author’s motive is to become famous, but we doubt very much that it all ends there. If we think about the different business models that there are currently behind malware (mentioned in the PandaLabs blog many times before), it is obvious that its author – or authors – will be looking to make money in some way. But, in which way? One possibility is that it could harness the net of infected PCs to send spam, by installing on the infected PCs some type of rogue antimalware that warns users that their computer is infected, and enticing them to buy a fake antivirus, which will result in them downloading password stealing Trojans.
Another question posed is whether Conficker really is more dangerous than other types of malware. The answer is no, it’s not more dangerous, although its update functionality do leave a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent Microsoft vulnerability to distribute itself, and that’s why it has reached so many PCs. In this way, its author has been smart and has adopted the model of classic viruses. The author has also rather cleverly used several different means of infection — such as through USB keys and MP3 players. From version to version Conficker has made its detection increasingly difficult by obfuscating code. Although it’s not strictly speaking a polymorphic virus, it follows this direction.
The spreading of the virus through USB devices illustrates Conficker’s attempt to reach the maximum number of PCs. Despite this, the infection rate of the previous weeks has dropped significantly. There are probably still variants infecting PCs but not at the levels we were seeing in the previous months. With this situation, the author could take various actions:
a) create a new variant which exploits another zero day vulnerability
b) Keep alive the three variants which are distributing, monitoring how much money they are making day by day, to the end.
c) Get bored and do something else…
We bet on option “a”. Not necessarily for the first of April, but definitely on its way. It would be pity for the author to go to so much trouble without getting anything. It’s becuase of this that we think that Conficker won’t be going away so easily.
Above all, don’t get taken in by the panic. What do users do on the first? If you have your PCs protected by a good and updated antivirus, nothing. If you don’t have one, we recommend you install one; you can also use Panda ActiveScan to be sure you are not infected. And we suggest you to install the free tool we have created to avoid contamination through USB drives.