Thursday, April 2, 2009

Conficker watch out!

Computer experts watched warily today as a virus infecting millions of PCs activated itself as predicted on April 1. But fears of internet chaos have proved unfounded – so far – as machines infected with the "Conficker" worm tried to establish a link to command servers as expected from midnight to no ill effect. With April Fool's Day already nearly over in the Far East, where the majority of infected computers are located, internet security experts reported that no new instructions have been detected from the virus's creators. Fear of what the virus might do next has spread round the world as April 1 approached – the date when Conficker was scheduled to use local time clocks to change programming. No one knows who created the virus or what they intend to do with the vast network of infected machines they, in theory, now control.
The Conficker virus started spreading late last year. At first it was a relatively simple worm but its creators issued updates turning it into a more sophisticated and resilient virus that has found new ways to spread. It has also gained the ability to shut down a computer's defences. The programming on the latest version of Conficker tells infected machines from today to generate 50,000 new internet addresses each day that they can try and "phone home" for instructions. Previously, they had been looking for commands from just 250 sites each day. The point of the change is to make it harder for the security community to pre-register those addresses and block them.

Conficker infects machines by exploiting a weakness in Windows, the software that runs on most computers. At its peak it had compromised about 12 million PCs, although that may have fallen to about two million thanks to new security measures. Once the worm is on a computer, that PC becomes part of a “botnet” – a network of computers that can be controlled by the virus's creator.

In the past year the virus has spread to computers in schools, hospitals and government departments. It has got into the defence forces of Britain, Germany and France, grounding the French Navy's fighter jets for a time. A leaked House of Commons memorandum revealed that the parliamentary IT network had also been infected. One popular theory is that the makers are setting up a “computing-for-hire” scheme, where time on infected PCs is rented out. Others warn that the makers could try to steal identity data such as credit card details.

Despite lurid headlines, few security experts expected anything major to happen on April 1, speculating that the creators would probably wait until some of the attention had died down before making another move.

"These guys have been pretty smart until now — the worm is unfortunately very well done," said Patrik Runald, chief security advisor for F-Secure. "So far they haven't been stupid. So why should they start on April 1?"

Paul Ferguson, of Trend Micro, an internet security company, said that the best guess as to who was behind Conficker was a gang based in Ukraine – the first version of the virus was designed not to infect computers there. "It doesn't seem to be doing anything right now," he said as Conficker activation made its way to the western United States. "I hope April 1st comes and goes with no trouble. But, there is this loaded pistol looming large out there even if no one has pulled the trigger."

A task force assembled by Microsoft has been working to stamp out the worm, referred to as Conficker or DownAdUP, and the US software colossus has placed a bounty of $250,000 on the heads of those responsible for the threat. The worm, a self-replicating program, takes advantage of networks or computers that have not kept up to date with Windows security patches. Microsoft has modified its free Malicious Software Removal Tool to detect and get rid of Conficker.

Among the ways one can tell if their machine is infected is that the worm will block efforts to connect with websites of security firms such as Trend Micro or Symantec where there are online tools for removing the virus. Cyber-criminals have taken advantage of Conficker fears to lure internet users to websites loaded with malicious software with fake promises of security tools.

Post a Comment