The Conficker worm variant expected to mobilise on 1 April activated as expected, but did not upload any new malware, according to security companies.
The worm, also known as Downadup, has infected between one million and 15 million machines, according to some estimates. The worm shuts down security services, blocks computers from connecting to security websites and downloads a Trojan.
The Conficker C variant was programmed to connect infected machines to 50,000 domains on Wednesday. The worm was then expected to deliver a malware update to the computers. However, the anticipated threat has failed to materialise.
F-Secure security specialist Patrik Runald wrote on the F-Secure blog that while some infected machines had attempted to contact domains specified by the worm, no update had been sent.
"So what's going on? So far — nothing," Runald wrote on Wednesday. "Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys)."
Paul Ferguson, an advanced threats researcher at Trend Micro, told ZDNet UK's sister site, CNET News.com on Wednesday that the security company had seen some effect in Asia. "We've seen activity in honeypot machines in Asia... They're generating the 50,000 list of (potential) domains to contact," said Ferguson.
Researcher Holly Stewart, writing on the IBM ISS Frequency X blog, said the 1 April date seemed to have been a joke on the security companies.
"April Fool's does certainly seem to have been a joke on us," wrote Stewart. "We knew it might happen... but we had to be on alert anyway. Hey, that's why we're here, right? I guess the point is that even though nothing happened today, I think, at least, that something is going to happen eventually."
Stewart warned of the potential for the infected machines to be made into a network of compromised machines, or botnet, as a money-making venture. Botnets can be used for purposes such as sending spam, and performing denial-of-service and brute-force attacks.
"It's obvious that the development of Conficker has cost someone a lot of money," wrote Stewart. "The advanced technology and sophisticated obfuscation that we've witnessed is fairly unprecedented. It would really, really surprise me if no one decides to cash in on that hefty investment."
Talkback
One of the greatest risks to security is complacency. I don't believe the writers of this worm are complacent, but there are a lot of 'experts' that now show signs of exactly that fault.
I am not at all surprised that it seems to have done nothing much. I would in fact have been more surprised if it had. What I would expect now, would be a number of such false alarms, intermixed with a few oh-so-trivial changes.
Whatever purpose the writers have, there is no doubt in my mind that it has been planned in great detail, and it's eventual operation will come as a complete and unpleasant surprise.
Conficker is an aggressively spreading computer worm that has been laying down a powerful botnet infrastructure that can then be managed by malicious controllers.
The initial appearance of Conficker utilised a fairly sophisticated polymorphic approach that exploited a buffer overflow vulnerability to remotely distribute the malware code throughout IT networks. Later variants of the Conficker malware leveraged USB devices to propagate the malware code onto new endpoint systems. This combination of high-tech and low-tech approaches proved highly effective by evading traditional signature based perimeter defenses.
The fact that we have not yet seen it activate maliciously on 1 April, does not mean it will not do that in the future.
Be pro-active and take action now, it is possible to use a scanning capability to find out where Conficker has become installed.
Lumension added additional scanning detection, patching and remediation and malware removal support capabilities to its Vulnerability Management Solution, to equip enterprises against this growing malware threat. The goal is to help organisations automatically identify the multiple variants of the Conficker worm. The enhanced Conficker capabilities can be used to support the automatic identification and removal of Conficker from infected machines and then apply the necessary patches (MS08-067) to mitigate this threat.