Friday, April 10, 2009

Conficker finally on the move

Conficker finally on the move

Thu Apr 9, 2009 12:35PM EDT

Last night, Conficker -- the computer worm that's had every computer user in a tizzy for weeks -- finally began to show signs of life. What exactly it's doing, no one's quite sure.

Here's the scoop: On April 8, Conficker began updating itself via Internet download, a process which became possible on the April 1 launch date. Before April 8, Conficker had been searching for updates but hadn't found any such instructions. Now they are finally being delivered.

What's in those instructions, though, remains a bit of a mystery: The downloaded programs are heavily encrypted, so they can't be analyzed in detail. We do know that, after installation, the instructions we can see are relatively benign: They tell the computer to check one of five random websites -- MySpace, eBay, AOL, CNN, and MSN -- in order to verify the computer has internet access. It then confirms the date and time.

After this, the downloaded software seemingly deletes itself, along with every trace that it had ever been installed (right down to the registry keys).

That doesn't mean it does delete itself, though. Some speculate that the downloaded software installs an as-yet undetectable rootkit on the machine that leaves the computer open for further compromise.

Curiously, the payload also includes instructions for Conficker to delete itself and stop running on May 3, though compromises already introduced -- and additional ones that may be downloaded over the next few weeks -- will leave any infected machine vulnerable to attack.

Research into exactly what's going on -- made difficult due to the encryption on the worm -- continues. (Trend Micro has more technical details if you're interested.) Stay tuned for more updates.

No comments: