Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/27/2009
03:48 PM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Conficker April Fool's Attack: Hype From Hell Or Real Hellfire?

The latest buzz about Conficker, the worm that's burrowed into millions of computers worldwide is that next Wednesday, April 1, may be it, the day the worm turns and wreaks havoc beyond belief. Emphasis on may be, as in: Maybe. Possibly. Perhaps.

The latest buzz about Conficker, the worm that's burrowed into millions of computers worldwide is that next Wednesday, April 1, may be it, the day the worm turns and wreaks havoc beyond belief. Emphasis on may be, as in: Maybe. Possibly. Perhaps.The monthly here comes Conficker (aka Downadup) to unleash destruction and chaos on a given date is upon us again, and this time the chosen date is April Fool's Day.

That's when the next version of the largest worm in years is due to break, randomly generating tens of thousands of URLs in search of a pathway it can use to communicate instructions to its multi-million strong zombie network of infected PCs.

Question is: What instructions?

It's a question that's been hanging over us for awhile now: Conficker's greatest accomplishment so far has been its profligacy: the thing spread fast, starting last October, thanks to a Windows vulnerability left unpatched by too many (one was too many).

Conficker may have infected as many as 12 million PCs around the globe, each a potential zombie soldier when the worm gets its marching orders. (Estimates are that, as a result of disinfection, 1 to 2 million remain infected.)

Question is: What orders?

No one knows yet. So far, Conficker has evolved three times (currently it's Conficker c that's getting the most attention) and become a little more capable each time, able to generate thousands of URLs rather than a handful, more and more protective of itself against defensive measures.

Could be that's what we'll get next week: a better, stronger, scarier Conficker, but one still poised to launch an attack, not actively coordinating one. Maybe the biggest disruption will be the traffic the thing generates as it seeks to phone itself home. That's the hope. (And, frankly, the likelihood: lots of traffic doing not much of anything.)

The fear -- and the hype -- is that this next version will be the one that moves from being a potential threat to being an active attack vector, the low level fever that turns into a deadly disease.

While the tabloid shouts of impending Conficker Armageddon are probably (maybe) more April Foolish than anything else, the worm, when and if it turns, could be devastating (possibly, maybe, perhaps).

Which raises some questions.

"What if your network had only a week to live?" Forrester's John Kindervag asked.

Probably -- maybe, perhaps -- that's a question that we won't have to answer next week.

My own suspicion -- and I hope I'm right -- is that the Conficker variants are a test-bed for a really ambitious hacker (or group of them) able and eager to test a proposition in the wild, altering the code and the worm's strategies both to respond to and to mimic the pace at which the security industry strikes back at Conficker.

Which is the really scary part of all of this, the monthly hype and the potential chaos alike.

Whether or not April's Conficker update lashes out or remains lashed down, its creator(s) is engaged in a very serious course of study, learning fast and putting those lessons into practice just as fast.

And sooner or later Conficker's (or the next big worm or the one after that) will feel confident that enough has been learned, and decide that it's time to put those lessons to work.

Against us.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).
CVE-2021-32244
PUBLISHED: 2021-06-16
Cross Site Scripting (XSS) in Moodle 3.10.3 allows remote attackers to execute arbitrary web script or HTML via the "Description" field.
CVE-2021-32245
PUBLISHED: 2021-06-16
In PageKit v1.0.18, a user can upload SVG files in the file upload portion of the CMS. These SVG files can contain malicious scripts. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/exp.svg" t...
CVE-2021-34201
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Buffer Overflow. There are multiple out-of-bounds vulnerabilities in some processes of D-Link AC2600(DIR-2640). Local ordinary users can overwrite the global variables in the .bss section, causing the process crashes or changes.
CVE-2021-34203
PUBLISHED: 2021-06-16
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify ...