14 DAY TRIAL // The Worm:Win32/Conficker.D targeting Windows operating systems, including Windows 7, Windows Vista and Windows XP, is set to make yet another step further in its evolution come next week, on April 1, 2009. The worm, which is reported to have infected anywhere from eight to 12 million machines (and even more) since it was initially introduced in October 2008, will grow in complexity on April Fool's Day with the malware authors having the upper hand, as the security community is waiting not only to see what will happen, but also to respond to the threat and adapt security solutions to block the evolved malicious code.
According to Microsoft: “once a day, Win32/Conficker.D may build one of 50,000 URLs to download files starting on April 1, 2009.” Roger Halbheer, chief security advisor of Microsoft EMEA, revealed earlier this month that he “would love to know” what would happen to Conficker on April 1. And the fact of the matter is that, though some potential scenarios have been formulated, only Conficker's authors really know what will happen to the malware next week.
McAfee's Vinoo Thomas is in agreement with Halbheer: “What happens on April Fool’s Day is anyone’s guess,” he stated, having opined that “from the days of Michelangelo to the recent Blaster, SoBig, Sober and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have only turned out to be damn squids.”
Thomas indicated that Windows users running security solutions had little to worry about, since detection rates for the malware are over 90%. Still, it is imperatively necessary that users patch their Windows operating systems with the security update referred to in Security Bulletin MS08-067. At the same time, there is the Microsoft Malicious Software Removal Tool, available as a free download, which is capable of detecting and cleaning up all variants of Conflicker.
McAfee is also offering a free security solution to safeguard machines against the worm. “In the run up to April 1st, McAfee is offering a special build of its stand-alone cleaning tool christened Stinger which will be updated on a daily basis to include any undetected Conficker variants from the wild,” Thomas promised. Stinger is already available for download and will contribute to protecting end users against Conficker, also known as Downadup and Kido. Microsoft is offering a $250,000 reward, valid worldwide, for any information that will lead to the arrest of Conficker's authors.
“In order to resist Conficker Cabal initiative which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute,” Thomas said.
Microsoft Malicious Software Removal Tool is available for download here.
McAfee AVERT Stinger Conficker 10.0.1.534 is available for download here.