To quote from Arthur Conan Doyle ...
Gregory: "Is there any other point to which you would wish to draw my attention?"
Holmes: "To the curious incident of the dog in the night-time."
Gregory: "The dog did nothing in the night-time."
Holmes: "That was the curious incident."
There was much speculation in the media about what the Conficker botnet would do on the 1st of April and, as with previous virus scares (Michelangelo, CIH, SoBig etc) it turned out to be more about hype than reality. The Conficker botnet remains dormant … so far.
The main activity in the run up to the supposed activation date of the first of April was a huge increase in the number of rogue security tools masquerading a Conficker clean-up packages. The botnet itself has yet to do anything but the act of spreading has already caused problems and claimed a number of high profile victims include the UK Ministry of Defence.
Conficker started spreading in November 2008 and, like many such worms, it uses a variety of techniques to spread including exploiting Windows vulnerabilities and spreading across network shares. Conficker can also spread using removable media such as USB memory sticks.
Earlier versions include a type of peer-to-peer functionality, this means that computers infected by this version of Conficker can communicate amongst themselves without needing to “call home” to a central server or servers.
Some versions call home to 250 different domains on a daily basis to check for updates. On Wedneday 1st April the latest version of Conficker began calling home to a sample of 500 out of 50,000 domains on a daily basis.
While Conficker hasn’t done anything yet it is a very real possibility that it could in the near future. So should you be panicking, no … as long as you keep your anti-virus package up to date as most up to date anti-virus programs will have no trouble detecting Conficker.
A good FAQ can be found on the F-Secure website http://www.f-secure.com/weblog/archives/00001636.html.
