In summary, Conficker is a worm that has been dormant until now. However, recent reports and reverse engineering analysis of the code revealed a possible activation date, which is today, April 1st, 2009.
So far, there is nothing significant to report. Many organizations have been proactive in exploring their networks for unpatched systems or machines already infected with the virus, which are then repaired or removed from the network. It is estimated that there could be disruption to Domain servers commonly used in Windows-based networks due to brute force attacks that the worm can launch against user credentials. The Conficker Working Group (www.confickerworkinggroup.org) has been working overtime to contact the owners of network blocks showing signs of infection. Their website has been intermittently unavailable due to the great interest the topic has generated, which I suppose is a good thing. Insecure.org also suffered DoS conditions for a while when the updated version of the nmap tool was released, which allows finding machines infected with the worm. In summary, this exercise has been a good opportunity for organizations to review their system patching procedures and compliance with standards. It is also a good reason to search for and protect any embedded systems running old Windows versions that cannot be patched, either protecting them or replacing them.
What will really happen on April 1st?
As reports continue to arrive and myth mixes with facts, we wanted to provide a list of facts that will happen or are happening right now. Here is what we know so far:
-
The activation of the worm on April 1, 2009 is not an April Fool’s hoax, it will really happen.
-
The Conficker worm (also known as Downadup) will start connecting to 500 different Internet domains each day, trying to search for code updates; it was initially reported that the number was 250 domains.
-
The P2P network connection functionality reported in the new version of the worm already exists in the initial version.
-
SRI has a very comprehensive analysis article of the worm here.
Based on these facts, the Internet Storm Center (isc.sans.org) estimates that today will be a more or less normal day. However, the situation should be closely monitored.
Source: