Conficker Creates Vast Botnet: Page 2

(Page 2 of 2)

For security vendor Qualys, the new detection method is being baked into its QualysGuard scanner.

"This new detection method allows IT administrators to remotely detect the Conficker virus directly on the infected machines without needing credentials or an agent installed," Wolfgang Kandek, Qualys's CTO, told "For many large enterprises, this represents an opportunity to perform a quick and nonintrusive audit of their patching efforts. Before the release, we were depending on having the credentials to the target machine for our Conficker detection."

Detecting Conficker remotely is a matter of identifying the "fingerprint" that it leaves behind, Kandek said. According to him, Conficker leaves a mark on infected machines that can be detected remotely by using special RPC (define) calls.

What happens on April 1?

Conficker has only been around since October at the earliest, which is when Microsoft released an out-of-band update to patch a vulnerability on which the worm now preys.

That brief lifespan hasn't made it any simpler for researchers to figure out Conficker's plans ahead of its April 1 update.

"Based on Microsoft's technical analysis, we've determined that systems infected with the latest version of Conficker (Conficker.D) will begin to use a new algorithm on April 1, 2009 to determine what domains to contact," Christopher Budd, security response communications lead for Microsoft (NASDAQ: MSFT), told in an e-mail. "We have not identified any other actions scheduled to take place on that date."

In the meantime, researchers have plenty of theories on what might take place on April 1.

"Currently the major threat is that Conficker can download new programs that it will execute on command by its controllers, and we do not know what these programs will do," Qualys' Kandek said. "In addition, the authors of Conficker have shown that they have the ability to quickly turn out new versions of Conficker -- these need to be analyzed each time from scratch, so we are at a disadvantage."

Still, Kandek does not expect any problems on April 1 -- at least, in terms of Conficker disrupting communications by "phoning home" for instructions. From his code analysis, he surmised that Conficker.C is rather "gentle" in its communication mechanism, set for activation on April 1.

"This makes a lot of sense, as the creators of the worm are not interested in disruption," he said. "They want their worm to be as successful as possible, [keeping] their network of machines healthy and to grow it if possible."

For the moment, researchers are celebrating their successes against the worm. For instance, Microsoft's Budd noted the effort with domain name system operators has proactively disabled a significant number of domains targeted by Conficker to disrupt the use of the worm and prevent potential attacks.

Still, he warned, "This disruption was not meant to be an end-all solution to the Conficker worm," Budd said.

Microsoft also continues to advise its users to update their PC and ensure they are running up-to-date antivirus software.

"However, as this threat continues to evolve, Microsoft and other collaborative companies will continue to identify new ways to disrupt the Conficker threat to give customers more time to update their systems," Budd added.

This article was first published on

Tags: Windows, Microsoft, malware, Conficker

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.