Conficker April 1st FAQ

I originally published this blog at http://community.ca.com/blogs/securityadvisor

Published: March 30 2009, 02:02 PM by: Benjamin Googins

What is important about the date of April 1st? The latest variant of Conficker, Conficker.C is programmed to “call home” and possibly update itself with new functionality on April 1st.

Is this a joke? There is little doubt that the April 1st date was chosen on purpose but due to the fact that earlier variants of Conficker also had date-based triggers this is not viewed as a joke.  It is expected that Conficker.C will successfully update some of the infected population on or soon after this date.

What will happen on April 1st? Live Conficker.C installations will generate a list of 50,000 possible URLs in an attempt to “call home” and potentially update itself.  Of the 50,000 URLs only 500 will be contacted daily.

Any successful “rendezvous” will result in the download of new arbitrary code.  It is unknown what new functionality this new update will bring.

If my machine is clean do I have anything to worry about? Conficker.C has removed most of its attack/propagation functionality.  Therefore if your system is clean now it likely will not be impacted by the April 1st trigger for Conficker.C.  However new attack/propagation code could be deployed to currently infected systems so it is recommended that all operating systems and applications be fully patched and that Anti-Malware software is up to date and fully operational. Previous versions of Conficker still pose a threat to un-patched systems.  Please see malware descriptions at for recommendations: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=76852  AND: http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911.

How many installs of Conficker.C are out on the Internet? It is unknown at this time.

How can I tell if Conficker.C is on my network? Newly discovered data indicates that Conficker.C can be detected via a network vulnerability scan.  It is recommended that all system administrators review this article (http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/)  and pursue network scanning immediately to identify any possible Conficker.C infections on their networks.

Will CA scan my network for Conficker.C? No.  Customers must deploy a separate network vulnerability scanning program, as described in the article referenced above.  CA’s anti-virus software will scan host systems for Conficker A, B, and C, but live installs of Conficker .C have the ability to block detection and/or disable the functionality of anti-virus scanners.

If I find a live install of Conficker.C what do I do? Isolate the affected nodes from the network.

Contact CA support immediately.  Custom removal tools and/or a live boot CD can be provided to remove the live infection.

Is Conficker.C active right now? Yes.  But only via its P2P protocol.  The internet “rendezvous” or “call home” trigger of April 1st has not started yet. Via P2P protocol Conficker.C is attempting to identify other “.C” variants and in doing so build a master list of infected hosts by IP address.

Can I identify Conficker.C via sniffing the P2P traffic? Yes but with general sniffing it is difficult especially in large enterprise networks.  It is recommended to pursue the network vulnerability scan referenced above as the most efficient way to identify live Conficker.C installations.

Are there IDS signatures published for detecting Conficker.C? Yes.  Commercial and Open Source IDS signatures are being deployed to detect the following:

Conficker.C P2P communications Conficker.C HTTP Time Checks Conficker.A&B shellcode

What is the objective of Conficker? The end game of this malware threat is unknown.  Based on recent malware trends this threat will most likely be used as a botnet for the purposes of collecting personal identifiable information or distribution of adware or rogue security products.  However, this does not preclude the malware authors or using their installs for denial of service or other more nefarious attacks.

What will happen after April 1st? Conficker.C will continue to generate 50,000 URLs and attempt to communicate with 500 of the 50,000 daily.  This will continue as long as Conficker.C is not updated or removed.

Any successful updates to Conficker.C will bring new “arbitrary” functionality which means no one can predict what it will do once updated.

Where can I find more information on Conficker.C? Members of the Conficker Working Group, which includes CA, have put together a robust FAQ here: http://conficker.shadowserver.org/wiki/pmwiki.php?n=ANY.FAQ

(This FAQ was prepared by Don DeBolt.)

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breeches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

Comments from original post:

Is there a conficker patch for MS XP Home Edition SP1? I can’t find it on the MS website.  It only starts w/ SP2. I loaded CA on my mother-in-law’s older computer recently and I am not familiar w/ it’s features.  She lives in another town and I don’t know how to help her get the patch. Can anyone help? Posted by: becky, March 31, 2009 8:51 PM

if i turn off my computer can this virus still get into my computer. Posted by: Lucy, April 1, 2009 12:40 AM

Why aren’t firewalls more effective against this type of malware?  Posted by: Lisa, April 1, 2009 2:56 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s