Conficker: The Windows Worm That Won’t Go Away

The Conficker worm continues to slither its way across the Internet, and a major update for the malware is looming on April 1. Just what will happen is everyone’s guess, security researchers say, but there are malware removal tools and protections out there to secure users.

Much has been written about the Conficker worm’s next big day. On April 1, the worm is expected to evolve yet again, when it blasts out requests to 500 of the 50,000 domains it generates daily in search of an update.

Just what that update will do isn’t known; what is known is that Conficker – also known as Downadup – has proven to be an impressive piece of malware as far as such things go. Version C, the latest iteration of the worm, added peer-to-peer communication between infected systems and a new domain generation algorithm.

The worm also got a new set of armor to protect itself that enabled it to kill some DNS lookups and disable AutoUpdate and some antivirus software. Fortunately, there are ways for anyone who gets infected to manually remove the latest version, and there are also removal tools available from Symantec and others to help users clean their systems.

Still, this is a long way from the worm that first slithered out into the open last year targeting a flaw in Microsoft’s Windows Server service.

“From a high level perspective, the ‘A’ variant gave the impression to be a ‘test run,’” said Pierre-Marc Bureau, a researcher at ESET. “It had code that probably was not meant to be spread globally. For example, it was checking for the presence of an Ukrainian keyboard or Ukrainian IP before infecting a system.”

The first variants of the threat also sought to download and execute a file called “loadav.exe”, leading researchers to think the first goal was to install rogue antivirus, Bureau added. The file however was never uploaded to a Web server and thus never downloaded by Conficker.

The second version of the worm spread not only through the Windows flaw but also through network shares by logging into machines that use weak passwords. It also scanned for targets with greater speed than the previous version, and additionally spread through removable media such as USB sticks.

Security vendors responded by updating their defenses, and the mind or minds behind the worm have continued to answer in kind.

“During the last week, 3.88 percent of our users have been attacked by Conficker, either because they accessed an infected device or by a network attack,” Bureau said. “The percentage is very high and shows that a high number of computers are presently infected and that the worm is still spreading.”

All together, the variants of the worm are believed to have infected millions of PCs. The situation has prompted several organizations, including Microsoft and AOL, to team up to tame Conficker by disabling domains targeted by the worm. Still, researchers are no closer to guessing the end game of the mind or minds behind it.

“I don’t think that the threat comes from the worm its self, it comes from the people that are in control of the mass of Conficker infected systems,” said Adriel Desautels, CTO of Netragard. “Those people have an immensely powerful weapon at their disposal, and that weapon threatens all of us.”