Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st. It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious. But I also want to say that perhaps it does more harm than good. Let go back over the issues that are flying around the world.
Regarding the damn date… will Conficker be activated 1st April? No. But it will do something that day, won’t it? Yes, Conficker is a malware that creates random URLs everyday and the PCs infected with it check if there is any new available version to download. It does so 250 times a day. What will happen then 1st April? The last variant creates 50,000 new URLs. We can’t know if any of them will host an update of the malware, its author could host a new version or even some other type of malware. It checks the date in the Internet; we say this in case somebody has thought of changing the system date of their computer 😉
If any URL contains an update of the worm, which actions will the new variant carry out? In fact, no one has been able to guess the final aim of Conficker. What we remember from previous infections is that the author’s motive is to become famous, but we doubt very much if it all ends there. If we think about the different business models that there are currently behind malware (mentioned in this blog many times before), it is obvious that its author –or authors- will be looking to make money in some way. But, in which way? It can be by harnessing the infected PCs net to send spam, by installing on the infected PCs some type of rogue antimalware to warn users that their computer is infected enticing them to buy a fake antivirus, by downloading password stealer type Trojans… There are many speculations, but nothing for sure.
Another question posed is if it’s really more dangerous than other types of malware. The answer is no, it’s not more dangerous, though its update functionality leaves a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent MS vulnerability to distribute itself, and that’s why, it has reached many PCs. In this way, its author has been smart and has taken the model of classic viruses. An “intelligent” move of the author has been to use different means of infection, especially through USB keys, MP3 players, etc. What is true is that from version to version it has made its detection more difficult by obfuscating code. And although we can’t talk about a polymorphic virus, it follows this direction.
What stands out from all these are the means of infections through USB devices, as we said before, is the attempt to reach the maximum number of PCs. And in the way that infected PCs can communicate with each other to update without the need to download a new version from an URL as they use P2P.
The infection level of the previous weeks has been reducing to low levels. There are probably still malware infecting PCs but not at the levels we were seeing in the previous months. With this situation, the author could take various actions:
a) create a new variant which exploits another 0 day vulnerabilities takes no time to spread and this was the plan all alone for Conficker.
b) Keep alive the three variants which are distributing, monitoring how much money they are making day by day, to the end.
c) Get bored and do something else…
We bet on option a). Not necessarily for April 1st, but on its way. It will be a shame to go to so much trouble without getting anything. Because of this we think that it won’t go away so easily.
Above all, don’t get taken in by the panic. What do users do on the April 1st? If you have your PCs protected by a good and updated antivirus, nothing. If you don’t have one, we recommend you to install one (you don’t have to wait until April 1st…) and you can use Panda ActiveScan to be sure you are not infected. And also we recommend you to install the free tool we have created to avoid contamination through UBS keys.