Network infiltrated, Conficker whirrs for the first time

Science fiction writers have alluded to a future where rogue bands of techies hijack millions of computers and hold the world to ransom.

The latest update to the Conficker worm, estimated to have already infected 3-15 million computers, seems to point to a similar scenario.

The worm, which till Wednesday was content to simply replicate and install itself on more and more computers, has started downloading a programme which experts suspect could be software to steal personal information.

“There’s evidence that Conficker is awakening, or at least opening an eye. A new malicious file has now been dropped into machines in the Conficker Botnet [ring of infected computers] via the peer-to-peer mechanism,” said Carl Leonard, threat research manager at US-based Websense Security Labs.

Conficker is designed to exploit a flaw in many versions of the Windows operating system which was patched by Microsoft in October last year. Initially, the worm spread from infected computers through the standard internet communication format (http) and mainly affected corporate and other networks.

“While it was detected in November itself, the first cases we found in India came in late December,” said Murali Murugesan, general manager with Zoom Tech India, the primary implementor for Kaspersky Lab, one of the top five anti-virus solutions. “The interesting thing about this was that it seemed to be intended as a punishment — Microsoft described the vulnerability in October and sent out a patch and someone wrote a virus to exploit it soon after. Usually, patches are sent after the virus attacks,” he pointed out.

The worm, the most widespread in the last four years, has the potential to cause enormous harm by stealing sensitive information or simply crashing communications sites. It can also be used to launch attacks on specific websites or web-based services.

However, despite Conficker having infected millions of computers, the rogue programmers behind the worm have not launched any attack so far.

Conficker’s latest mutation is different from previous updates. Whereas in previous cases, the worm continually updated itself to spread through newer methods, the latest updates do not seem to be introducing any new method of self-propagation. Many feel that the makers of the worm may be testing the strength of the network of infected computers (botnet), before launching a full-scale attack.

Like most security experts, the world’s No 1 security software provider, Symantec, too seems puzzled by the latest move by the ‘bad guys’. “This new .E variant does not appear to include any new infection vectors that might allow the threat to spread faster or onto new machines. We are analysing the file for other functionality,” it said in an official statement. Also, unlike previous mutations, the latest download and install is not happening through the standard web architecture. “This time, the worm-makers are using their own network to install the software... So it’s spreading from one infected computer to another, without the aid of a server or http channel. People who have disabled their firewalls or security systems to allow peer-to-peer filesharing at particularly at risk,” pointed out Murugesan.

Lenoard of Websense suspects the latest move is in preparation to launch a bigger strike. “Conficker is a sleeping infrastructure of infected hosts waiting to be mobilised. This update shows that they are taking care of their infrastructure, keeping it updated. Creating a Botnet of this size has taken a lot of resources and it would make sense to maintain their assets until ready for use,” he pointed out.

Interestingly, the hype and fear around the worm has resulted in many overnight fake and sometimes dangerous websites springing up, offering to ‘clean up’ Conficker. Experts have warned users not to fall into the trap. Users who regularly updated their operating system through Windows update have nothing to worry about.

Others need to find a trusted Conficker removal tool. “One sure sign that your computer has been infected is when you try to visit the Microsoft update page or the page of most anti-virus companies, it shows an error and the user is not able to do so,” pointed out Murugesan.