14 DAY TRIAL // The Conficker worm proved a perfect fit for this year's April Fools' Day. With the security community holding its breath waiting to witness the evolution of the malicious code, scheduled for April 1, 2009, in order to react with counter measures, Worm:Win32/Conficker.D proved a dud. The worm did evolve to the next stage in its existence, but nothing else happened. Microsoft and the Conficker Working Group confirmed that no additional malicious activity has been detected or can be associated with Conficker. However, despite this aspect, the Redmond company is warning that the threat should not be dismissed.
“We and our partners in the Conficker Working Group have been watching closely and we’ve not seen any new malicious activity from Conficker. We haven’t seen any actions outside of what we expected. We have seen systems infected with Worm:Win32/Conficker.D starting to use the new domain generation algorithm. But we haven’t seen any new variants released or any new attacks levied as a result of this,” revealed Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC).
Microsoft is offering no less than $250,000 as a reward for any information that would lead to the arrest of Conficker's authors. The reward is valid worldwide since mid-February 2009, but so far the worm's authors are still at large, and still working on the evolution of their malicious code. On April 1, 2009, the worm changed its behavior in correlation with a new algorithm for contacting domains from a pool of 50,000 URLs in order to download files and instructions. But just because nothing happened on April 1 doesn't mean that users are in the clear.
“While there’s been a significant focus on the April 1 date, customers shouldn’t take it to mean that once April 1 has passed that all the risks around Conficker.D lessen or go away. (...) Conficker.D should remain a manageable cause for concern and it doesn’t go away after April 1. Just like it has on April 1, Conficker.D will continue trying to contact domains using this new algorithm on April 2, April 10, and beyond. This means that even though it hasn’t happened today, a new variant or a new attack could be levied in the future,” Budd added.
Aside from patching Windows with MS08-067, users can also turn to various free security solutions designed to detect and remove Conficker:
Sophos Conficker Clean-up Tool 1.3 is available for download here.
Microsoft Malicious Software Removal Tool is available for download here.
McAfee AVERT Stinger Conficker 10.0.1.534 is available for download here.