The Worm That Ate the WebThe latest version of Conficker isn't the first bot to plague the Internet, but it may be the smartest and most sophisticated. And it starts phoning home Wednesday.
Posted Monday, March 30, 2009, at 5:20 PM ET
Last week, I pulled out my Internet cable, unplugged my USB drives, and searched my Windows machine for Conficker, the astounding computer worm that threatens to wreak global havoc once its latest version begins to phone home for further instructions on April 1. Well, maybe: While security researchers warn that the worm's creators may be planning on conducting fraud or even "information warfare" aimed at disrupting the Internet, nobody knows what terrible deed Conficker will ultimately pull off. What we do know is that Conficker is devilishly smart, terrifically contagious, and evolving. Each time experts discover a way to constrain its spread, its creators release new, more sophisticated versions that can push even further. The latest version, Conficker C, hit the Internet early in March. Estimates aren't precise, but researchers say the worm—in all its variants—has so far infected more than 10 million machines around the world.
Conficker gets into Windows through a security hole that Microsoft fixed last fall. As a result, the worm tends to run rampant on networks where IT guys have been slow to patch people's machines (like at the British Parliament, for instance, which reported a Conficker infection last week). Countries with lots of pirated versions of Windows are also vulnerable, with China, Brazil, Russia, and India among the most Confickered nations. On the other hand, I was lucky—my computer was worm-free. If your machine has been properly patched and protected, there's a good chance it's safe, too. (See Symantec's page on how to detect and remove it.)
PRINT
DISCUSS
E-MAIL
RSS
RECOMMEND...
Facebook
MySpace
Mixx
Digg
Reddit
del.icio.us
Furl
Ma.gnolia
Sphere
StumbleUponBut having a safe machine doesn't mean you're safe. Conficker's true aim may be to bring chaos to the Internet, at which point you might feel its wrath even if your computer is OK. When Conficker infects a host, it ensnares it into a botnet—a massive network of computers geared for unsavory ends. Botnets can spew out spam, mount denial-of-service attacks to bring down Web sites, or consume so much bandwidth that they drown out all other network traffic.
Much of the media coverage surrounding Conficker has centered on its go-live date, April Fool's Day. But that's something of a red herring; it's unlikely that anything will blow up on the first. The date is significant only to the latest version of Conficker, which is set to go to the Web and check a huge list of sites for files put out by the worm's creators that will instruct the botnet what to do next. But previous versions of Conficker, which are much more common than the latest variant, have been looking for those files for months now. April Fool's Day will only become Conficker Day if its creators chose that day to upload the worm's new instructions.
It's the update files that will determine Conficker's next course of action. At the moment, that's a complete mystery. Even if Conficker amounts to nothing, though, its rise suggests a key vulnerability in the infrastructure of the Internet. By harnessing millions of computers that can be turned to any possible caper, a band of hackers has created a truly dastardly weapon. The big question now is what they'll do with it.
Conficker is far from the Internet's first serious malware attack. But it is perhaps the most well-thought-out and technically cunning ever to hit it big. The word worm conjures up something ugly, inelegant, even dumb. Conficker is anything but—it's the Bugatti of worms, every element exquisitely crafted to advance a single goal: in this case, total control of your machine. To read the security reports documenting Conficker's technical details is to be at once astonished and impressed by its professor Moriarty-type planning. The C variant, for instance, includes a subroutine that claws back at any efforts to remove it. It disables Windows services that patch your machine, prevents your computer from loading up into "safe mode" (a key way to fight nasty malware), and continually scans for and shuts down any security programs that might pose a threat—including the most commonly used Conficker-removal programs. (I'm still confident my machine's free of Conficker because my anti-virus program was able to complete its search; if you notice your program shut down almost immediately after it starts, you may have a problem.)
Conficker's most sophisticated routine is what researchers call its "rendezvous" mechanism, the way it reaches back to its creators for further instructions. Every few hours, the worm generates a list of hundreds of new Web domain names; the domain names are nonsensical strings of characters seeded by the current date and time, meaning that they're constantly shifting but can be reproduced by the worm's controllers. In theory, this is how Conficker's authors will tell it what to do next. They'll register one of the domain names, put up a program for Conficker to run, and, boom—millions of machines around the world will be acting in sync.
Is It More Important for Your Turkey To Be Organic or Local?
Why Gift Cards Are a Terrible Gift
Is Sarah Palin's Approval Rating Really as High as Barack Obama's?
Justice Scalia's Most Eccentric Habits
Adam Lambert's Refreshing Non-Apology on the CBS Early Show
Democrats Have a Lot To Be Thankful For