Doing the worm: Tweak in 'Conficker' sparks fears

Send a link to a friend

[April 01, 2009]  SAN FRANCISCO (AP) -- Even if it's not an April Fools' joke, the latest moves by the dreaded Conficker worm are by no means an Internet Armageddon, either. The worm's alarming outbreak entered a new phase Wednesday as clocks around the world ticked into the first day of April, the day it was scheduled to change programming.

But security experts appeared correct in their predictions that the day was likely to come and go without any major disruptions, even though the worm has infected anywhere from 3 million to 12 million PCs running Microsoft Corp.'s Windows operating system.

Computer infections now are all about making money by stealing people's personal information. And Conficker's authors stand to make more money from renting out parts of their huge "botnet" to spammers or identity thieves than by destroying parts of the Internet.

"These guys have been pretty smart until now -- the worm is unfortunately very well done," said Patrik Runald, chief security advisor for F-Secure Corp. "So far they haven't been stupid. So why should they start on April 1?"

But panic over the worm had reached a frenzy.

Lori Lynn Pavlovich, a mother of four from Racine, Wis., unplugged her PC and vowed to stay offline for a week after seeing a local TV news report about the worm.

"I get scared real easy when it comes to stuff like that," she said. Pavlovich, who says she keeps her antivirus software and security patches up to date, got back online 24 hours later after a relative assured her that her system was safe.

In the last six months, the worm has also caused sleepless nights for the technicians who maintain corporate and governmental computer systems. European media reported that the French military grounded some of its fighter planes after the Navy's network was infected over the winter.

Companies were on high alert to any change in Conficker's behavior that could affect their systems. But a lot of the heavy lifting for big corporations has already been done. Most large organizations hurried to fix the vulnerability that Conficker exploits long ago -- Microsoft released a software "patch" for it in October. Many smaller businesses and consumers started worrying about the problem later, making them more vulnerable to infection.

"Consumers are very, very, very aware of this -- more so than I've seen in years," said Alfred Huger, vice president of Symantec Security Response. "Enterprises are certainly aware of this, and they're treating this seriously, but no more so than other threats they're faced with."

Detecting a Conficker infection is actually very easy. One of the telltale signs is if you're able to navigate the Internet freely but can't access Microsoft's site or the sites for the major antivirus software vendors. Conficker's authors included that feature to prevent infected machines from downloading programs that remove the worm.

That makes it harder to get the Conficker removal programs, but not impossible. Security experts recommend that people with infected machines find a friend whose machine isn't infected, and have that person download the removal tool and e-mail it to them.

Many companies that have already protected their networks from Conficker have become concerned again because of the publicity the worm generated in recent weeks as the April 1 change to Conficker's programming approached.

[to top of second column]

Michael La Pilla, manager of the malicious code operations team at VeriSign Inc.'s iDefense division, said some of his company's customers were asking for immediate notification about changes to Conficker's behavior, instead of the hourly updates that many receive.

The bad guys behind Conficker haven't been able to reliably communicate with the computers the worm has infected. That means they haven't been able to program the PCs to send spam, carry out identify-theft scams, or perform any other kind of cybercrime.

That has likely started changing with the dawn of April 1. Now the programming on the latest version of Conficker tells those infected machines to generate 50,000 new Internet addresses each day that they can try and "phone home" for instructions. Previously, they had been looking for commands from just 250 sites each day. The point of the change is to make it harder for the security community to pre-register those addresses and keep them out of the bad guys' hands.

Microsoft has offered a $250,000 bounty for information leading to the arrest and conviction of the people responsible for Conficker.

The hoopla surrounding a very arcane change to Conficker's programming code was reminiscent of the doomsday fears about the Y2K bug, when the dawn of the millennium was thought to threaten computer networks by interpreting the new year as 1900 rather than 2000.

"There are a lot of people who are on standby waiting to see what happens," said George Kurtz, senior vice president of McAfee Inc.'s risk and compliance division. "Ultimately, it could be a big event or Y2009 -- April 1 rolls around and nothing happens. But that doesn't mean it's the end of the story."

___

On the Net:

Microsoft page on Conficker:
http://tinyurl.com/bzkwy2

[Associated Press; By JORDAN ROBERTSON]

< Top Stories index

Back to top