 |
Lately it seems everybody is talking about Conficker and its
variants. And not surprisingly, given the concern about the worm’s reactivation
due on April 1. It’s been a while since there was so much malware coverage in
the general media, and it’s not that I mind, as it contributes to general
awareness and makes users more cautious. But it is also being given more
importance than it is due. Let's have a look at some of the questions that
everyone is asking.
Buy Panda Global Protection 2009 for $58.47. Save 35%!
Regarding the date: Will Conficker activate on April? No.
It’s not a question of activation.
But it will
do something that day, won’t it? Yes, Conficker is a malicious program that
creates random URLs everyday and computers infected with it check these URLs to
see if there are any new versions of the code available to download. It does so
250 times a day.
What will happen then on April
1? Well, on this day, the latest variant will create 50,000 new URLs, although
we don't know if any of these will host an update of Conficker. The creator may
even use the URLs to host other malware.
By the
way, remember that Conficker checks the date on the Internet so there's no point
in changing the date on your computer.
If any
URL contains an update of the worm, what action will the new variant take? It is
difficult to know. So far, no security solution vendor has been able to predict
what will occur. In any event, although this malicious code may be reminiscent
of widespread epidemics in the past, given that the creator would appear to be
looking for notoriety, I doubt very much that it all ends there. There is
another objective, although we still don't know what that is. If we think about
the different business models that are currently driving malware, it is obvious
that the creator (or creators) will be looking to make money in one way or
another. But how? It may be by harnessing a network of infected computers to
send spam; by installing rogue anti-malware to trick users into buying a fake
antivirus; by downloading password-stealer Trojans… There is much speculation,
but nothing is certain. Anyway, the last thing we want to do is to be giving
ideas to the creator of Conficker.
Another
question asked is whether it is really more dangerous than other types of
malware. The answer is no, it’s not more dangerous, though its update
functionality leaves an open door for new attacks which could be more dangerous.
Its success lies in having exploited a recent MS vulnerability to distribute
itself, and that’s why it has reached so many computers. In this way, its
creator has been smart and has exploited the model of classic viruses. Another
sharp move of the creator has been to use different infection methods,
particularly using USB drives, MP3 players, etc. Also, it has become more
difficult to detect version after version by obfuscating code. Although it's not
quite a polymorphic virus, it is along those lines.
Yet what really stands out about Conficker is the way it uses USB
devices to spread. This is an attempt to maximize the number of infected users.
And let’s not forget the way in which infected systems communicate with each
other through P2P technology, updating the malicious code without having to
download a new version from a URL. Once again we see a common technology being
exploited by cyber-crooks.
Nevertheless, the
number of infections in recent weeks has diminished considerably. There are
probably still malicious codes infecting computers, but not at the levels we
were witnessing in previous months. With this situation, the creators have
several options:
a) Create another variant
which exploits another zero-day vulnerability to keep the Conficker era
alive.
b) Maintain the three variants which are
currently propagating, monitoring how much money they are making day by day,
until they die off.
c) Get bored and do
something else…
Our money is going on option
a). Not necessarily for April, but soon. We don't believe that the creators
would've taken so much trouble to then let it all go without making any money.
They won’t give up so easily.
So, don’t panic.
What should users do on April 1? If your computer is protected by a good and
updated antivirus, do nothing. If you don’t have one, we advise you to install
one (you don’t have to wait until April 1…) and you can use Panda ActiveScan (www.pandasecurity.com) to
be sure you are not infected. We also recommend you install the free tool we
have created to avoid infection through USB drives (http://www.pandasecurity.com/spain/...ads/usbvaccine/).
| |
