The Worm That Ate the Web

The latest version of Conficker isn’t the first bot to plague the Internet, but it may be the smartest and most sophisticated. And it starts phoning home Wednesday.

Last week, I pulled out my Internet cable, unplugged my USB drives, and searched my Windows machine for Conficker, the astounding computer worm that threatens to wreak global havoc once its latest version begins to phone home for further instructions on April 1. Well, maybe: While security researchers warn that the worm’s creators may be planning on conducting fraud or even “information warfare” aimed at disrupting the Internet, nobody knows what terrible deed Conficker will ultimately pull off. What we do know is that Conficker is devilishly smart, terrifically contagious, and evolving. Each time experts discover a way to constrain its spread, its creators release new, more sophisticated versions that can push even further. The latest version, Conficker C, hit the Internet early in March. Estimates aren’t precise, but researchers say the worm—in all its variants—has so far infected more than 10 million machines around the world.

Conficker gets into Windows through a security hole that Microsoft fixed last fall. As a result, the worm tends to run rampant on networks where IT guys have been slow to patch people’s machines (like at the British Parliament, for instance, which reported a Conficker infection last week). Countries with lots of pirated versions of Windows are also vulnerable, with China, Brazil, Russia, and India among the most Confickered nations. On the other hand, I was lucky—my computer was worm-free. If your machine has been properly patched and protected, there’s a good chance it’s safe, too. (See Symantec’s page on how to detect and remove it.)

But having a safe machine doesn’t mean you’re safe. Conficker’s true aim may be to bring chaos to the Internet, at which point you might feel its wrath even if your computer is OK. When Conficker infects a host, it ensnares it into a botnet—a massive network of computers geared for unsavory ends. Botnets can spew out spam, mount denial-of-service attacks to bring down Web sites, or consume so much bandwidth that they drown out all other network traffic.

Much of the media coverage surrounding Conficker has centered on its go-live date, April Fool’s Day. But that’s something of a red herring; it’s unlikely that anything will blow up on the first. The date is significant only to the latest version of Conficker, which is set to go to the Web and check a huge list of sites for files put out by the worm’s creators that will instruct the botnet what to do next. But previous versions of Conficker, which are much more common than the latest variant, have been looking for those files for months now. April Fool’s Day will only become Conficker Day if its creators chose that day to upload the worm’s new instructions.

It’s the update files that will determine Conficker’s next course of action. At the moment, that’s a complete mystery. Even if Conficker amounts to nothing, though, its rise suggests a key vulnerability in the infrastructure of the Internet. By harnessing millions of computers that can be turned to any possible caper, a band of hackers has created a truly dastardly weapon. The big question now is what they’ll do with it.

Conficker is far from the Internet’s first serious malware attack. But it is perhaps the most well-thought-out and technically cunning ever to hit it big. The word worm conjures up something ugly, inelegant, even dumb. Conficker is anything but—it’s the Bugatti of worms, every element exquisitely crafted to advance a single goal: in this case, total control of your machine. To read the security reports documenting Conficker’s technical details is to be at once astonished and impressed by its professor Moriarty-type planning. The C variant, for instance, includes a subroutine that claws back at any efforts to remove it. It disables Windows services that patch your machine, prevents your computer from loading up into “safe mode” (a key way to fight nasty malware), and continually scans for and shuts down any security programs that might pose a threat—including the most commonly used Conficker-removal programs. (I’m still confident my machine’s free of Conficker because my anti-virus program was able to complete its search; if you notice your program shut down almost immediately after it starts, you may have a problem.)

Conficker’s most sophisticated routine is what researchers call its “rendezvous” mechanism, the way it reaches back to its creators for further instructions. Every few hours, the worm generates a list of hundreds of new Web domain names; the domain names are nonsensical strings of characters seeded by the current date and time, meaning that they’re constantly shifting but can be reproduced by the worm’s controllers. In theory, this is how Conficker’s authors will tell it what to do next. They’ll register one of the domain names, put up a program for Conficker to run, and, boom—millions of machines around the world will be acting in sync.

But you might spot a couple of obvious flaws in this rendezvous mechanism. First, if Conficker is calling up domain names, can’t anyone—especially other bad guys—monitor which sites it’s connecting to and then upload their own software for Conficker’s infected machines to run? Conficker’s authors worried about that, too, and cooked up a brilliant counter-mechanism. The worm uses one of the world’s most advanced cryptographic algorithms to check all files it downloads from one of those domains; if it doesn’t find a digital fingerprint from its authors, Conficker won’t run the program.

The second flaw: Can’t the Internet’s authorities just make sure that no one registers the domain names that Conficker is checking, thereby preventing anyone from sending the worm its marching orders? Indeed, they can. In February, the worldwide team of computer security groups who’ve been fighting Conficker—the self-dubbed Conficker Cabal—announced that they’d worked out a way to determine the pre-generated list of domains that Conficker would connect to. Eventually the cabal got registrars around the world to prevent people from registering those sites.

But that’s when researchers spotted the newest Conficker variant, which includes a much-improved updating plan. Instead of generating a list of hundreds of domains, Conficker C creates a new list of 50,000 Web sites to contact every day. Although the Conficker Cabal is trying to prevent registrations on all these domains, registrars around the world will have a much more difficult time monitoring this huge, shifting number of sites. But that’s not all: The latest version of Conficker has a completely new way to coordinate the botnet’s operations. Rather than contacting domain names, infected machines can band together in a massive peer-to-peer network. This way, each machine can efficiently pass files to its peers in something like the way your high-school orchestra used a phone tree to pass along next week’s rehearsal change (or, to get more technical, in the same way people trade movies online via BitTorrent). We’ve seen peer-to-peer botnets before; in 2007, one of them, the Storm Worm, brought down several anti-spam Web sites. A peer-to-peer-enabled botnet as sophisticated as Conficker would be very difficult to thwart; if it worked well enough, it could well be impossible to shut down.

Who created Conficker? Like much else about the worm, it’s completely unknown. Initial speculation settled on Eastern Europeans. The first version of Conficker included code designed to keep Ukraine free of the worm. (If it detected a Ukrainian keyboard, it shut down.) But successive versions have been free of that code. On Sunday, BKIS, a Vietnamese computer security firm, announced that it had found clues in the worm suggesting it was created in China. In February, Microsoft put up a $250,000 reward for any information leading to the arrest and conviction of people responsible for creating Conficker.

But whoever they are, they sure are dangerous. “We must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker,” wrote security experts at the research group SRI International in a report last week. The researchers added: “Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.”

But Conficker is also important for what it portends about the inherent difficulties of living in a networked age. Worms feed on bugs—holes in the ever-more-complex operating systems and Web browsers where we live most of our online lives. And because we’re never going to get rid of these bugs, bad guys will always be able to find a way in. It’s just that now, with the entire Internet as their playground—and with the power to harness all their infected machines into a thinking network—they can cause tremendous harm. Conficker could fizzle. But you can bet that someday, something very much like it will cause a lot of pain.