A computer-science detective story is playing out on the Internet as security experts try to hunt down a worm called Conficker C and prevent it from damaging millions of computers on April Fool’s Day.
The anti-worm researchers have banded together in a group they call the Conficker Cabal. Members are searching for the malicious software program’s author and for ways to do damage control if he or she can’t be stopped. They’re motivated in part by a $250,000 bounty from Microsoft and also by what seems to be a sort of Dick Tracy ethic. “We love catching bad guys,” said Alvin Estevez, CEO of Enigma Software Group, which is one of many companies trying to crack Conficker. “We’re like former hackers who like to catch other hackers. To us, we get almost a feather in our cap to be able to knock out that worm. We slap each other five when we’re killing those infections.” The malicious program already is thought to have infected between 5 million and 10 million computers. Those infections haven’t spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company. What happens on April Fool’s Day is anyone’s guess.
$250K Microsoft bounty to catch worm creator
Downadup virus exposes millions of PCs to hijack
The program could delete all of the files on a person’s computer, use zombie PCs — those controlled by a master — to overwhelm and shut down Web sites or monitor a person’s keyboard strokes to collect private information like passwords or bank account information, experts said. More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products. Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs. DeBolt said Conficker C imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent the malware from causing damage. The program’s code is also written to evolve over time and its author appears to be making updates to thwart some of the Conficker Cabal’s attempts to neuter the worm. “It is very much a cat and mouse game,” DeBolt said. It’s unclear who wrote the program, but members of the Cabal are looking for clues. First, they know that some recent malware programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software. Worm program authors often hide in those countries to stay out of sight from law enforcement, he said. In a way, the Conficker Cabal is also looking for the program author’s fingerprints. DeBolt said security researchers are looking through old malware programs to see if their programming styles are similar to that of Conficker C. The prospects for catching the program’s author are not good, Morganelli said. “Unless they open their mouth, they’ll never be found,” he said. So, the most effective counter-assault simply may be damage control. One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said. Microsoft released a statement saying the company “is actively working with the industry to mitigate the spread of the worm.” Users who haven’t gotten the latest Windows updates should go to http://safety.live.com if they fear they’re infected, the company’s statement says. DeBolt said people who use other antivirus software should check to make sure they’ve received the latest updates, which also could have been disabled by Conficker C. The first version of Conficker — strain A — was released in late 2008. That version used 250 Web addresses — generated daily by the system — as the means of communication between the master computer and its zombies. The end goal of the first line was to sell computer users fake antivirus software, said Morganelli. Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said. That process-of-elimination approach isn’t likely to be effective with Conficker strain C, Morganelli said. The new version will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said. The first iteration of Conficker is thought to have grown out of a free function for security programs created by Dr. Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology. “Any technology can be used for good or evil, and this is just an example of that,” Rivest said. Many viruses have taken pieces of benevolent programs and used them for ill. But overall the “open source” environment online promotes computer security far more than it enables hackers, DeBolt said. “I don’t blame the open-source community at all” for virus attacks, he said. CA said it recently found a piece of code in Conficker C that says the worm will become active on April 1. Previous versions of the malicious software launched on specific dates noted in the program code, so the April Fool’s Day launch date is not likely to be a trick, DeBolt said. “The best minds in the industry are working on this to protect customers,” he said. “We’re trying to reduce the impact of the April 1 date as best we can. But we know … this malware will continue to evolve.”