I don’t, of course, know for sure what’s going to happen on April 1st, when Conficker is timed, potentially, to go to its next stage of evolution. We do know, from inspecting code in the variants and subvariants that have come our way, that infected machines will be looking for instructions and updates on that date.
At the very least, as our colleagues in Slovakia have pointed out here, machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains.
While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely to be over a million. Analysis of our ThreatSense.net threat monitoring system shows that a hair-raising 3.88% of PCs owned by our customers were attacked this week by Conficker, and would have been at direct risk of infection, had they not been protected.
This suggests that if and when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it will have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.
Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted) in the past, for instance against authoritative DNS servers (the top layer of a network of machines holding the addressing and routing information that allows internet-connected machines to find other connected systems).
However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV and so on.
In fact, the earliest Conficker variant also had an update mechanism: in that instance, it had the very specific purpose of downloading a file called loadav.exe. From its name, it’s likely that this was a fake security application, but no-one ever saw it because the server on which it was to be hosted never went online. And there are reports today of search engine optimization being used to misdirect people googling for Conficker-related information to web sites serving fake AV.
So what is ESET doing about Conficker?
What can you do? Well, we’ve covered that ground pretty well already in previous posts, but it does no harm to recap on the main points.
Finally, here are some useful resources for finding out more about Conficker.
David Harley & Pierre-Marc Bureau
Malware Intelligence Team