Six long years ago, the SQL Slammer worm began its inglorious travels across the Internet, infecting machines whose owners had neglected to install a patch that had been issued by Microsoft six months earlier. Since that time, Microsoft has dramatically overhauled the way it integrates security into its products and provides security updates to customers. But it's amazing how history repeats itself. This week, on Wednesday, April 1, another computer worm, this one targeting numerous modern Windows versions, will trigger an attack of some sort on the world, ushering in what I'm sure will be a new generation of security changes around the industry.
The worm, dubbed Conficker (a German melding of "configure" and an obscene phrase), has security experts looking about as confused and useless as so-called economic experts in the face of the current financial crisis. It's really a series of worms, all variants of the same code base, which have been released over time. Estimates place the number of PCs and servers compromised so far at about 10 million machines in over 150 different countries (with 3 million in China alone). The worm is scheduled to do ... something ... on April 1.
Here's the thing: As with SQL Slammer, Conficker exploits a vulnerability that has already been patched by Microsoft. In fact, it was patched last October as part of Microsoft Security Bulletin MS08-067. But according to security experts, up to 30 percent of all Windows machines worldwide are still not protected against this vulnerability. (It was around 50 percent at the end of 2008.) And as with SQL Slammer, Conficker's origins lie in previously-created proof-of-concept code, in this case an open-source penetration-testing tool.
Conficker is serious stuff, especially the latest "C" variant. It infects unpatched computers, spreads via network shares and removable storage as well as its own peer-to-peer functionality, then shuts down the computer's ability to download and install legitimate security patches. But the scariest part is that Conficker C is going to trigger, well, something -- on April 1. On that date, 500 of an estimated 50,000 domains will be contacted by infected machines and given some kind of instruction. It could be an updated version of the worm, other malware, or something else entirely. No one is sure.
One thing all security researchers agree on is that Conficker is sophisticated. This isn't some weekend-hacker-kiddie project. Instead, its authors have utilized encryption keys and other advanced techniques that have continually baffled those trying to uncover its secrets.
On the good news front, it's looking less and less like Conficker is going to trigger a massive Denial of Service (DoS) type attack on April 1, as was previously feared. In fact, many security watchers now expect the day to pass as quietly as did January 1, 2000, when the world's computers were supposedly going to raise and battle the humans for supremacy of the earth. (Or something to that effect. I have trouble remembering what all the hubbub was about.)
Part of the positive vibe here is that security researchers have discovered what they believe to be a small flaw in the most recent Conficker version, a rarity given the high quality of the code. This flaw will help administrators recognize Conficker-exploited PCs, something that wasn't previously possible. (Before, PCs afflicted with Conficker appeared to be properly patched.)
And Microsoft has issued a $250,000 bounty to anyone who can provide information that leads to the capture of the person or people responsible for Conficker. So far, there aren't many clues, but law enforcement agencies have suggested the Ukraine as a possible origin. One thing is clear, whoever is responsible for this worm is a criminal mastermind worthy of a James Bond thriller.
The obvious question, of course, is what you should do. Security experts from Microsoft and the major security firms say that the smartest thing you can do is stay up to date with your security updates. The company's Malicious Software Removal Tool can help remove Conficker, as can the Windows Live OneCare Safety Scanner, a free online service. For more information, visit the Microsoft Security web site.
An edited version of this article appeared in the March 31, 2009 issue of Windows IT Pro UPDATE. --Paul