Conficker April Fool's Joke Or Real Threat?

There has been much debate over what the latest version of the Conficker worm might do come April 1st. Several security researchers have warned that he latest variant labeled Conficker.C, is programmed to do something on April 1. But what exactly will happen no one seems to know.

One thing they do know for sure is that the two original variants "Conficker.A" and especially "Conficker.B" (also known as Downadup) have built a botnet that has reached estimates of over 10 million PCs. Such a widespread botnet has the potential of wreaking havoc, however up till now Conficker has done little more than spread around to un-protected PCs. Leaving room for much speculation and a ton of hype.

While some security experts such as Eset are warning users that they should take precautions and back up in advance of April 1 others like Joe Stewart, a security researcher at believe there is really not much more to worry about. Stating "there will be no April 1st outbreak." Clean PCs won't suddenly melt down from a new Conficker infection. All that will happen, Stewart writes, is that the worm will begin to use a new trick that gives it a better chance of getting around existing defenses that attempt to prevent it from updating.

The truth is, there will be no April 1st outbreak, despite what some of the press stories have said so far. The only thing that will happen with Conficker on April 1st is that already-infected systems will begin to use a new algorithm to locate potential update servers. There, that’s not so scary, is it?

Th is isn't really a new trick for Conficker. Variant C added the ability to circumvent some of the previous work arounds used to block its access to update sites. Stewart and several other researchers believe there is no reason to worry about the overly hyped April 1st date line for Conficker.C.
And here’s why:

1. Conficker.C is already able to receive updates via its P2P protocol today, so focusing on the April 1st date is misguided.
2. Don’t underestimate the reach of the Conficker Working Group. These are the security industry’s heavy-hitters, and you can be sure they are working diligently to mitigate the domain issue.
3. Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly.
4. If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.

I share Stewart's personal opinion that the April 1st activation of the new algorithm may simply be a distraction, a kind of practical joke on the part of the worm author(s). Conficker may not be something to laugh about, but it’s also not quite as serious as one might believe from reading about it in many of the articles written so far.

For those of you that are truly worried about it then the best bet is having a good offense. You need to make sure both your operating system and your security are updated. The worm originally was spread through exploitation of the MS08-067 vulnerability in Windows. You need to make sure you have installed the latest patch.

If you believe you might be infected then try one of these tools.

• Microsoft Malicious Software Removal Tool: http://mscom-dlcecn.vo.llnwd.net/download/4/A/A/4AA524C6- 239D-47FF-860B-5B397199CBF8/windows-kb890830-v2.6.exe
• Symantec Conficker W32.Downadup - Removal Tool
  
• F-Secure removal utility ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip
• McAfee's removal tool http://67.97.80.71/vil/conficker_stinger/Stinger_Coficker.exe
• For AVG users AVG has created a post on how to clean an infected PC
• Sophos' Conficker removal tool
• ESet EConfickerRemover

McAfee just released this Stinger build today, and says it will update it on a daily basis to include new Conficker variants.

On a further related note Symantec researcher John Parks today warned users that searching for Conficker might actually led to infectious sites. By using Google and simply searching for "Conficker C," Parks found result that included a link to an infected site being used to spread a fake antivirus program. Following the malicious link eventually lead to a rogue application installation website which tried to install a maliciuos piece of software.