The Conficker worm, which checks 250 different domains each day for an update, could become a lot harder to stop, if those responsible for the malicious program can get their latest code to infected computers.
The software module, discovered on Friday and initially dubbed Downadup.C and Conficker.C, causes Conficker-infected computers to search — not 250 — but 50,000 different domains each day for updates. Last month, Microsoft teamed up with security firms and domain registrars to block the 250 new domains that the worms each day. The group, called the Conficker Cabal, will be hard pressed to block infected PCs attempts to update from 50,000 different domains.
Yet, the Cabal viewed the efforts to block domains as a stop-gap measure, said Vincent Weafer, vice president of security response for security firm Symantec, which owns SecurityFocus.
"Buying the domains was meant to buy ourselves time," Weafer said. "It was never meant to be a long-term defensive strategy."
Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International. Companies that monitor the domain names generated by infected computers have found about 3 million IP addresses contacting the domains each day, a level that seems to be stable over the last two weeks.
The initial variant of the worm used a vulnerability in Microsoft's Windows operating system to spread to vulnerable computers. A second iteration of the program also spreads to open network shares and attempts to access weakly-protected systems by trying 240 common passwords. The later program, known as Conficker.B, also propagates by copying itself to USB memory sticks and by infecting the autorun.inf file. Both programs block the infected computers from updating security and systems software by blacklisting the domains of Microsoft and many security firms.
Symantec discovered the Conficker module on a honeypot system that the company uses to monitor the worm. Because the Cabal is blocking the domains that the Conficker worm uses to update infected systems, the module will likely not spread quickly, if at all. However, infected hosts on the same network share do update each using a peer-to-peer capability, Weafer said. So, if one infected system gets updated, all other infected computers on the same network will get the new code as well.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos