Whither, Conficker

As has been posted on others sites, tonight at midnight, UTC, the Conficker computer virus is due to start executing.  What is Conficker?  It's a computer virus.  Here's what Wikipedia has to say:

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

What is going to be the payoff of Conficker?  Well, it's a little hard to tell.  Pandalabs downplays its potential impact:

Conficker is a malware that creates random URLs everyday and the PCs infected with it check if there is any new available version to download. It does so 250 times a day.  What will happen then on April 1st? The last variant creates 50,000 new URLs. We can’t know if any of them will host an update of the malware, its author could host a new version or even some other type of malware.

Another question posed is if it’s really more dangerous than other types of malware. The answer is no, it’s not more dangerous, though its update functionality leaves a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent MS vulnerability to distribute itself, and that’s why, it has reached many PCs.

Finally, an article on CNN illustrates its probable motive:

The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.

More likely, though, the virus may try to get computer users to buy fake software or spend money on other phony products.

Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs

That's what I tend to lean towards.  If the last variant of the virus created 50,000 URLs per day, then what could these URLs be used for?  I can think of two likely possibilities.

  1. Updates - Like everyone else, with a lot of different web sites to download from, it is difficult for registrars and antispam vendors to shut all of these down or have updates for each of them.  The standard operating procedure to infect your PC is for a botnet army to send out a spoofing email with a link to a web page.

    Thus, if this does turn out to be a non-event then I would expect to see an army of social networking spoofs, e-card spoofs or news article spoofs.  These would be something to intrigue the reader and get them to click on the link.  Once they do, they download a piece of malware and just like that, their PC is infected.

    This is a pretty typical spammer attack and is not at all out of the ordinary.

  2. Spamware - The other attack vector I can think of is a short message touting a product with a link to a message.  Whether the message is in English, Russian or German, you would see something like "Get a new iPod mini!" in the subject line with a similar body text, and then see a link to acquire the product.

    Again, this is a very common spamming tactic, it's old hat.  It is one that has been used for years.

Those would be my guesses as the most likely outcomes of this virus.  Whether or not anything actually comes to fruition is still to be seen, but for now, the amount of media attention this is getting should make it a little easier to contain and defend against.

Skip to main content