Conficker has wriggled into millions of PCs, leaving them open to receive a nasty parcel of malware from its author. But the worm – shaping up to be the biggest virus attack the world has ever seen - has yet to deliver its payload to a single infected computer. Antivirus experts tell NBR they’re waiting for the other boot to drop.
Peter Sparkes, senior manager for managed security services across Asia Pacific and Japan for Symantec, the largest antivirus player, tells NBR his company has yet to spot a single instance of a PC being hit by a Conficker payload (although the Ministry of Health did take its systems offline during a 15 day battle to root out the worm itself).
The worm works in three stages. In the first, it infects a PC, either online or – in a nice retro touch recalling the days of floppy-borne viruses – a USB thumb drive. Next, it “phones home” to a rogue web server controlled by Conficker’s creator (whom Symantec’s rival F-Secure fingers as a Ukrainian hacker), letting the server know the PC is infected, and now open to receive a payload of malware.
While the malware payload could theoretically be any piece of software, Mr Sparkes notes that unlike the early internet days of show-off hackers and amateur vandals, today’s virus writers are all about making money.
He also notes that Conficker is a very slickly-written piece of software, noted for its uniquely insidious ability to randomly generate 250 server domain names every day (most worms are easier to nab because they “phone home” to a single server).
Mr Sparkes says Conficker (also known as Downadup) is continuing to mutate. One new variant attacks Windows Vista (previously, Windows XP and older versions were more vulnerable). Another hijacks the “autoplay” function in Windows 7 (Vista’s successor, still in beta).
It’s unlikely such a sophisticated operation would not be building up to a major attack.
Typically, today’s malware attempts to sniff out personal details that could provide its author with access to the victim’s bank account or online auction account – or simply holds and individual or company’s data to ransom.
So when Conficker’s payload does hit, it’s likely some of the owners of the estimated 3 million (by Symantec’s count) to 9 million (by F-Secure’s) infected PCs are going to see their online accounts looted.
It’s possible Conficker’s author has set a certain date when all infected PCs will be hit in one big-bang attack, which would maximise the rapidly-reconfiguring worm’s chances against being blocked by security software updates. However, it’s equally possible incremental attacks will take place.
Although Conficker is shaping up to possibly be the world’s largest ever virus attack, Mr Sparkes says infections are concentrated in the small business segment, and geographically in China, Russia and South America – countries where there is less security infrastructure, and fewer have applied Microsoft’s relevant Windows patch (covered here) or auto-update their antivirus software.