Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/27/2009
03:48 PM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Conficker April Fool's Attack: Hype From Hell Or Real Hellfire?

The latest buzz about Conficker, the worm that's burrowed into millions of computers worldwide is that next Wednesday, April 1, may be it, the day the worm turns and wreaks havoc beyond belief. Emphasis on may be, as in: Maybe. Possibly. Perhaps.

The latest buzz about Conficker, the worm that's burrowed into millions of computers worldwide is that next Wednesday, April 1, may be it, the day the worm turns and wreaks havoc beyond belief. Emphasis on may be, as in: Maybe. Possibly. Perhaps.The monthly here comes Conficker (aka Downadup) to unleash destruction and chaos on a given date is upon us again, and this time the chosen date is April Fool's Day.

That's when the next version of the largest worm in years is due to break, randomly generating tens of thousands of URLs in search of a pathway it can use to communicate instructions to its multi-million strong zombie network of infected PCs.

Question is: What instructions?

It's a question that's been hanging over us for awhile now: Conficker's greatest accomplishment so far has been its profligacy: the thing spread fast, starting last October, thanks to a Windows vulnerability left unpatched by too many (one was too many).

Conficker may have infected as many as 12 million PCs around the globe, each a potential zombie soldier when the worm gets its marching orders. (Estimates are that, as a result of disinfection, 1 to 2 million remain infected.)

Question is: What orders?

No one knows yet. So far, Conficker has evolved three times (currently it's Conficker c that's getting the most attention) and become a little more capable each time, able to generate thousands of URLs rather than a handful, more and more protective of itself against defensive measures.

Could be that's what we'll get next week: a better, stronger, scarier Conficker, but one still poised to launch an attack, not actively coordinating one. Maybe the biggest disruption will be the traffic the thing generates as it seeks to phone itself home. That's the hope. (And, frankly, the likelihood: lots of traffic doing not much of anything.)

The fear -- and the hype -- is that this next version will be the one that moves from being a potential threat to being an active attack vector, the low level fever that turns into a deadly disease.

While the tabloid shouts of impending Conficker Armageddon are probably (maybe) more April Foolish than anything else, the worm, when and if it turns, could be devastating (possibly, maybe, perhaps).

Which raises some questions.

"What if your network had only a week to live?" Forrester's John Kindervag asked.

Probably -- maybe, perhaps -- that's a question that we won't have to answer next week.

My own suspicion -- and I hope I'm right -- is that the Conficker variants are a test-bed for a really ambitious hacker (or group of them) able and eager to test a proposition in the wild, altering the code and the worm's strategies both to respond to and to mimic the pace at which the security industry strikes back at Conficker.

Which is the really scary part of all of this, the monthly hype and the potential chaos alike.

Whether or not April's Conficker update lashes out or remains lashed down, its creator(s) is engaged in a very serious course of study, learning fast and putting those lessons into practice just as fast.

And sooner or later Conficker's (or the next big worm or the one after that) will feel confident that enough has been learned, and decide that it's time to put those lessons to work.

Against us.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.