Tuesday, March 31, 2009

April Fools Day Virus - AKA conficker.c

Many of you have probably heard about the virus conficker.c that is set to go online April 1, 2009. But for those of you who haven't heard about it, fear not! Because I'm going to explain it now anyways.

The first point I would like to make is that conficker technically isn't a virus. Most people confuse virus's with just about every other type of malware known to machine and man, so I'm going to call it a virus for the sake of my sanity. In reality, however, conficker is what is called a worm, meaning that it is self replicating. Once you have the conficker worm it can reproduce itself and use your computer to send itself to other computers and systems. A virus, on the other hand, requires a "host", usually a program that you execute allowing the virus to infest your computer. The virus then remains in the host unless some physical medium is used on the computer, infected, and then used in another computer (USB drives, floppy disks, etc).

So what exactly is conficker? Well, the conficker virus/worm comes in 3 different versions (Strains). Strain A basically created 250 random websites per day, allowing for the "zombie" computers (computers that can be controlled and accessed by a "master" computer that the original virus' author has access to). This strain was patched in most cases, and so isn't a huge problem. The end goal was simply to sell bogus software to unwitting users. The second strain released, conficker.b was similar, but infected millions of more computers. The major innovation in conficker.c is that instead of generating 250 URL's per day, it will generate upwards of 50,000.

Strain C could be simply another bogus advertising deal, trying to trick users into giving up important credit card information. Other theories exist as to what it may do, however. When Strain C becomes active, the conficker virus will be able to bypass many security programs and infect the rest of the computers on the same local network as an infected computer. It also has the ability to build a tunnel that will allow it to find and infect computers via the internet, allowing it to spread rapidly. It could then be used by criminals to gain access to the private data contained on the millions of infected computer (an estimated 6-10 million computers are currently infected). It would be the largest zombie network ever created by a single entity. The zombie network could also be used to mount a DoS attack against any number of servers.

Conficker is already prevalent in the computer world. Like I said before, an estimated 10 million computers are infected already, including the British Parliament, the french navy, and other government bodies.

We really have no idea what conficker will do, aside from "dial home" to its maker tomorrow. The end goal of the worm is still unknown. What it will do is anyones guess. My suggestion, however, is that if you are running a windows machine, you may want to check to make sure you have updated your antivirus software, as conficker, among the other things it does that we know about, blocks updates and installations (of antivirus software) that may be harmful to it.

No comments: