Conficker.C appears on schedule, but only as a whisper

The Conficker worm has been a hot topic for months as white hats and black hats have struggled to one-up each other. When security teams broke the randomization cypher Conficker uses and were able to predict which websites the program would target and when, Conficker.B retaliated. That version of the malware used a new encryption cypher to hide its target list (this was broken as well), and was cabable of spreading from infected to non-infected systems over office networks, shared folders, or even USB keys.

Now we’ve come to round C, an event the security industry has been preparing to fight for at least a month. The behavior of previous Conficker versions has been analyzed in order to prepare a defense against Conficker.C, in the hopes of stopping the worm once and for all. As of this writing—near the end of April 1, Conficker.C’s supposed launch date—have researchers succeeded in slamming down a bulkhead to contain the worm?

Based on what we’ve seen today, the answer is a very cautious “maybe.” Conficker is awake and has been seen “in the wild” as various infected systems reached out to the control servers for data. New scanning technologies developed by Dan Kaminsky at Dox Para in cooperation with Felix Leder and Tillmann Werner have made it possible to detect a Conficker-infected system based on how it responds to certain queries.

With Conficker having failed to destroy the world (perhaps it should collaborate with the Large Hadron Collider), certain media outlets have questioned whether or not the entire build-up on how dangerous Conficker could be come April 1 was overblown. Such questions leave the security industry in an extremely ironic situation. If Conficker explodes into a digital morass across the ‘Net, despite all attempts to contain or kill it, then the security companies appear incompetent. If, on the other hand, a concerted and international effort actually prevents a major disaster, no one notices. Instead of accolades, accountant types ask: “Did we really need to spend all this money on a threat that didn’t happen?”

April 1, thus far, is pretty clean. Let’s see what happens over the next few weeks before we draw a final judgement on the success or failure of the anti-Conficker associations. Hopefully the new detection scanners (and a comprehensive report just released by Leder and Werner) will turn the tide and begin to shut the worm down.