informa
Commentary

Conficker April Fool's Attack: Hype From Hell Or Real Hellfire?

The latest buzz about Conficker, the worm that's burrowed into millions of computers worldwide is that next Wednesday, April 1, may be it, the day the worm turns and wreaks havoc beyond belief. Emphasis on may be, as in: Maybe. Possibly. Perhaps.
The latest buzz about Conficker, the worm that's burrowed into millions of computers worldwide is that next Wednesday, April 1, may be it, the day the worm turns and wreaks havoc beyond belief. Emphasis on may be, as in: Maybe. Possibly. Perhaps.The monthly here comes Conficker (aka Downadup) to unleash destruction and chaos on a given date is upon us again, and this time the chosen date is April Fool's Day.

That's when the next version of the largest worm in years is due to break, randomly generating tens of thousands of URLs in search of a pathway it can use to communicate instructions to its multi-million strong zombie network of infected PCs.

Question is: What instructions?

It's a question that's been hanging over us for awhile now: Conficker's greatest accomplishment so far has been its profligacy: the thing spread fast, starting last October, thanks to a Windows vulnerability left unpatched by too many (one was too many).

Conficker may have infected as many as 12 million PCs around the globe, each a potential zombie soldier when the worm gets its marching orders. (Estimates are that, as a result of disinfection, 1 to 2 million remain infected.)

Question is: What orders?

No one knows yet. So far, Conficker has evolved three times (currently it's Conficker c that's getting the most attention) and become a little more capable each time, able to generate thousands of URLs rather than a handful, more and more protective of itself against defensive measures.

Could be that's what we'll get next week: a better, stronger, scarier Conficker, but one still poised to launch an attack, not actively coordinating one. Maybe the biggest disruption will be the traffic the thing generates as it seeks to phone itself home. That's the hope. (And, frankly, the likelihood: lots of traffic doing not much of anything.)

The fear -- and the hype -- is that this next version will be the one that moves from being a potential threat to being an active attack vector, the low level fever that turns into a deadly disease.

While the tabloid shouts of impending Conficker Armageddon are probably (maybe) more April Foolish than anything else, the worm, when and if it turns, could be devastating (possibly, maybe, perhaps).

Which raises some questions.

"What if your network had only a week to live?" Forrester's John Kindervag asked.

Probably -- maybe, perhaps -- that's a question that we won't have to answer next week.

My own suspicion -- and I hope I'm right -- is that the Conficker variants are a test-bed for a really ambitious hacker (or group of them) able and eager to test a proposition in the wild, altering the code and the worm's strategies both to respond to and to mimic the pace at which the security industry strikes back at Conficker.

Which is the really scary part of all of this, the monthly hype and the potential chaos alike.

Whether or not April's Conficker update lashes out or remains lashed down, its creator(s) is engaged in a very serious course of study, learning fast and putting those lessons into practice just as fast.

And sooner or later Conficker's (or the next big worm or the one after that) will feel confident that enough has been learned, and decide that it's time to put those lessons to work.

Against us.

Recommended Reading: