On the surface, April 1 came and went without a peep from the dreaded Conficker megaworm. But security experts see a frightening reality, one where Conficker is now more powerful and more dangerous than ever.
In the first minute of April 1, Conficker did exactly what everyone knew it was going to do: It successfully phoned home for an update. And while it was fun to imagine what nasty payload that update may have included (it was fun, wasn’t it?), the result was not outwardly catastrophic; rather than a blueprint for world domination, the update contained instructions on how to dig in even deeper.
“The worm did exactly what everyone thought it was going to do, which is update itself,” security expert Dan Kaminsky, who helped develop a widely-used Conficker scanner in the days leading up to April 1, told us. “The world wants there to be fireworks, or some Ebola-class, computers-exploding-all-over-the-world event or God knows what, but the reality is…the Conficker developers have cemented their ability to push updates through any fences the good guys have managed to build in February and March.”
And here’s why that is deeply, deeply scary. As we explained, Conficker has built a zombie botnet infrastructure by registering hundreds of spam DNS names (askcw.com.ru, and the like), which it then links up and uses as nodes for infected machines to contact for instructions. In its earlier forms, Conficker attempted to register 250 such DNS names per day. But with the third version of the software, the Conficker.c variant which has been floating around for the last month or so, the number of spam DNS takeovers was boosted to 50,000 per day—a number security pros can no longer keep up with.
Yikes! This paints a pretty scary picture.