Conflicker and April 1st
A recent report by SRI International, an independent, California-based research organization, described the wide spectrum of possible outcomes should Conficker achieve its authors' goals: "Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.
"In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself."
"Based on our collective technical analysis, we've determined that systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact," said Bruce Cowper, chief security adviser at Microsoft Canada. "We have not identified any other actions scheduled to take place on April 1, 2009."
April 1, a malicious piece of code that has infected millions of computers is expected to try to contact its control centre. What happens next is a mystery.
In just a few minutes it will be April 1st at the International Date Line. Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen. There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to "help" those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers. Our official Conficker page is at http://www.dshield.org/conficker, that's where we have links to all of the software and analysis that we know is trustworthy.
As always, we want to remind our readers that if you are doing what everybody considers to be best business practices (firewalls, unneeded services turned off, systems patched, current antivirus software, user education and awareness, good policies, an incident detection and response mechanism, etc.) then you have very little to worry about.
If you detect anything NEW with respect to Conficker over the next 24 hours please let us know via our contact page. We'll sound the alarm should something bad happen. Otherwise, back to work and Happy April Fool's Day!!
Marcus H. Sachs
Director, SANS Internet Storm Center
Labels: Conflicker and April 1st