The Conficker worm is currently active and updating via peer-to-peer (P2P). Researchers and security experts are analyzing the code of the software that is being dropped onto infected computers. We suspect that the code may be some type of logging program that has the ability to steal or compromise data on an infected system. Many people are surprised as to the new developments of Conficker as they thought April 1st marked the date for Conficker performing any malicious actions but they failed to realize that Conficker only downloaded an update on April Fool’s day. Judging from today's actions, it is safe to say that we have yet to see the true devastation of Conficker.C.
The Conficker worm, once awakened, attempted to connect to MySpace.com, CNN.com, MSN.com, AOL.com and eBay.com in order to determine if the infected computer had internet connection. After this process, it deletes all traces of itself on the host machine. In addition to this programming it is scheduled to shut down on May 3rd.
What does this mean?
It may mean that Conficker is receiving staggered commands instead of all at once so there is no disruption to the websites that the infected computers visit. The Conficker worm is heavily encrypted making it very difficult to analyze the code to get a definite grasp on its next moves.
Not only is Conficker.C still a viable threat to the computers that it has already infected, but there's already reports of a Conficker copycat worm called Neeris which is spreading over the MSN instant messenger. The Neeris worm dates back to 2005 but is now updated to exploit MS08-067, just like Conficker Worm, as well infecting the autorun.inf file which could enable it to spread via removable drives. Whether Neeirs Worm's creators and Conficker creators are related has yet to be proven. Does this copycat worm have anything to do with Conficker's next moves? Probably not, but we will be monitoring the activity of Conficker Worm while analyzing any relationship between the two infections.
In regards to the hysteria of April 1st being the date that Conficker.C turns the computer world upside-down, it was a date within Conficker.C's coding for it to receive instructions for linking up with its thousands of DNS names. Any computer that was infected with Conficker would get a new update. Conficker has basically built a botnet infrastructure from registering thousands of spam DNS names. The actions by the Conficker authors will make Conficker a long lasting infection where they have control over thousands, if not millions, of computers. The longevity of Conficker or Conficker.C seems to be more important at this point versus conducting a devastating attack all at once.
Information about Conficker Worm
Conficker Worm originated in October 2008 and since then it has infected millions of computers around the world including a small percentage in North America. Conficker worm is known to exploit Microsoft's Windows MS08-067 vulnerability and possibly creating an autorun.inf file that allows it to replicate itself. Conficker has evolved into more complex infections including Conficker.B and Conficker.C. If you are not able to visit security related websites including www.microsoft.com then you may have one of the Conficker Worm variants on your computer. It is necessary that you use a tool to remove the Conficker and any other variant including the latest Conficker.C Worm.
In the weeks to come we will see more moves from Conficker Worm and that will help us and other security researchers gather even more specific details about Conficker and how to combat any future malicious actions to come.