Wednesday, April 01, 2009

As Expected Conficker Doesn't Live Up To The Hype

April 1st is upon us and predicted last week the largely over-hyped over exaggerated threat from the Conficker.C worm has failed to materialize. As midnight approached over seas and Aprils Fools Day hit the worm has gone relatively un-noticed by anyone other than the media and the security researchers watching it.

"Conficker has activated," said Patrik Runald, chief security adviser at F-Secure, in a blog post posted shorty after 12 AM GMT. "So far nothing has actually happened."

So, when exactly is Conficker activating? So far - nothing. Infected computers are generating the list of 50'000 domains and trying to go to 500 of those as described earlier but so far no update has been made available. According to F-Seacure it goes like this:

  • Conficker checks the local clock every 90 minutes (in some cases even more frequently)
  • The check is done with Windows GetLocalTime function
  • GetLocalTime gives the local time, based on the local time zone
  • Because of this, machines around the world are returning different times
  • Clock skew affects this as well
  • But not by much, as Windows machines will sync their local clock with once a week
  • Once the local clock says it's April 1st, Conficker will collect a date from the net
Conficker's net time collection uses several large websites to get the date. When the local clock says it's April 1st, Conficker will fetch the date values from the above sites and will use these values in an algorithm to generate 50,000 unique domain names.

The machines that are infected by Conficker.C and are turned on, will change modes between 00:00 and 01:30 on April 1st, based on machines own clock. The ones that are turned off, will change modes soon after they are booted up. However as noted there has been NO SIGN of the alleged update, and no sign of any further malicious activity.

Several other sites are reporting similar information, with many security researchers sitting, watching and waiting but little to nothing to actually report.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers."

The ironic part, despite the fact thatwe have seen little to nothing at all from the virus and the fact that security researchers tried to downplay the threat the media still clings to the hysteria with crazy headlines. Over the past few hrs several headlines have popped up that including "Conficker worm set to infect computers worldwide today", "April Fools virus could mean big problem for millions", "Conficker: World Preps for April Fools Attack".

No wonder I received a ton of email from friends asking me if they should be concerned. Even now I see two or three emails that have come in since I started writing this. People spot these crazy headlines and over react!

According to IBM believes the US held only about 6% off the PCs allegedly infected by Conficker, with 45% of the Conficker.c-infected computers traced to Asian IP addresses, while another 31% were pegged to European addresses. If there was going to be anything of major concern it would have hit those countries long before we had to worry about it.

Read more:

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you