The worm first appeared in late November, exploiting a vulnerability in Microsoft Relevant Products/Services Windows to spread unhindered on local area networks. Its goal is to install rogue software on infected computers. Microsoft issued a patch for the vulnerability, but users that haven't installed it are open for infection as the worm spreads through portable USB flash drives.
As the speculation grows around Conficker, also known as the Downadup worm, Symantec and its Conficker Working Group partners continue researching the possibilities of the April 1 fallout from a worm that wreaked havoc on millions of computers earlier this year. So far, Symantec has determined three facts that it is sharing.
Symantec Sets the Record Straight
First, Symantec has determined that on April 1, W32.Downadup.C, the most recent variant of the malware also known as Conficker, will begin to use a new algorithm to determine what domains to contact. No other actions have been identified to take place on April 1.
Second, Symantec said it's possible that systems infected with W32.Downadup.C will be updated with a newer version of the malware on April 1 by contacting domains on the new domain list. However, the security company noted, these systems could be updated on any date before or after April 1, as well by using the peer-to-peer updating method found in W32.Downadup.C.
Third, Symantec said, the public should not be alarmed. However, as always, computer users should exercise caution and implement security best practices into their daily computing routines.
The worm certainly is an issue of concern, but the probability of a major Downadup-related cyber event on April 1 is not likely, according to Vincent Weafer, vice president of Symantec Security Response.
"In reality, the author or authors of Downadup probably didn't intend for this malware to get as much attention as it has. Most malware these days is designed to be used for some type of criminal monetary gain, and conducting such criminal acts typically requires stealth measures to be successful," Weafer said. "As such, this makes the odds that a major event will take place on April 1 even less likely, since there is so much attention being paid to that day."
What Should We Expect?
McAfee said we don't know the intent of the authors of the Conficker worm, but one thing is certain: They have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant.
"In order to resist the Conficker cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000," said Vinoo Thomas, a security researcher at McAfee. "The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute."
Security firms advise home users to make sure their security software is up to date with the latest antivirus Relevant Products/Services signatures and to enable their systems' automatic security updates. On the enterprise Relevant Products/Services front, Symantec recommends that companies continue to deploy all critical security patches, ensure their security software is up to date, clean any systems that are infected with any version of Downadup using the available removal tools and guidance provided, and evaluate additional security best practices in accordance with their organizations' policies and procedures.