Conficker's April Fools' Day Update Begins With A Yawn

It's April 1 in Asia and Australia at the moment and the Conficker worm is busily expanding the list of domains from which it seeks instructions.

The results so far recall the Y2K crisis: Lots of worry, but not much impact.

"Conficker has activated," said Patrik Runald, chief security adviser at F-Secure, in a blog post on Tuesday. "So far nothing has actually happened."

This nonevent, however, is apparently news, if the volume of commentary coming from security researchers and echoed in the press is any measure. Thanks to the rise of news aggregation services like Google News, once a nonevent reaches critical mass, every industry observer and media outlet is more or less obligated to weigh in.

The chatter among security professionals is almost uniformly nonchalant.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers."

The Conficker/Downadup worm was designed initially to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. Now in its fourth iteration, it has developed multiple avenues of infection, including USB devices and brute-force password guessing. It also uses a variety of sophisticated techniques to evade detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

Somewhere between 1 million and 2 million computers are believed to be actively infected with the malware, down from almost 9 million in January. According to IBM ISS Managed Security Services, the largest number of infections (45%) are in Asia, followed by Europe (31%), South America (13.6%), and North America (5.8%), with the remainder in the Middle East, Africa, and elsewhere.

The reason that IBM ISS knows this is that one of its researchers, Mark Yason, succeeded last week in cracking the worm's peer-to-peer communication scheme. This has allowed IBM to see Conficker bots hiding in the machines of customers of its managed security service, as well as those outside its purview, bots around the globe trying to communicate with their peers.

Holly Stewart, IBM ISS X-Force threat response manager, attributes the widespread interest in Conficker to the aggressive way in which it spreads and to its sophistication, with several propagation methods and a peer-to-peer communication system.

But really, there's no reason that anyone's computer should still be infected, given the variety of Conficker detection and removal tools out there. Even the Department of Homeland Security is getting into the act and offering Conficker mitigation software for government agencies and enterprises.

2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.