Security Alerts
March 26, 2009
Conficker C April Fools Day Scare
Vulnerability Identifiers: MS08-067; all platforms (Windows)
There are many news reports circulating the Internet about a new variant of the Conficker or Downadup family of malware. The Conficker worms are very sophisticated worms that use encryption to hide their code from analysis. They are also able to upgrade themselves. Conficker C uses the brand new md6 hashing algorithm released by MIT in October 2008, the same month the original Conficker was released. Conficker C was able to patch itself when an update to md6 was released.It appears that the latest variant, Conficker C, will increase from polling 250 different domain names every day for instructions to polling 50,000 domains per day on April 1st, 2009. Conficker C also has a peer to peer function that will allow it to spread from one host to another even if it cannot reach any of the 250 original or the 50,000 new controllers. Of the 3 variants of Conficker, Conficker C has the smallest penetration, but other versions could upgrade themselves to Conficker C. It is not known at this time what the Conficker botnet will do on April 1st or if it will do anything.
In October 2008 Microsoft released a critical security patch for the vulnerability (MS08-067) that the Conficker worms take advantage of so if your system is patched and your anti-virus definitions are current you should be fine. If you believe your system might be infected with any of the Conficker or Downadup family of worms here are instructions from Sophos on how to remove it from your system.
Additional resources:
Good Tech Republic blog entry about Conficker family
SRI International Analysis of Conficker C
F-Secure Questions and Answers about Conficker
Wikipedia entry on Conficker
MS08-067 patch
---
Paul Keser
Information Security Office
Stanford University
650.723.2911
Last
modifiedTuesday, 31-Mar-2009 07:32:14 AM