Friday, March 27, 2009

Please Media and Press don't hype Conficker.c !

I don’t know for sure what’s going to happen on April 1st, when Conficker (Kido is the Kaspersky Lab's name) is timed, potentially, to go to its next stage of evolution. We do know, from inspecting code in the variants and subvariants that have come our way, that infected machines will be looking for instructions and updates on that date. At least machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains. While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely to be over a million. There is always a possibility when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it could have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.

Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted) in the past, for instance against authoritative DNS servers (the top layer of a network of machines holding the addressing and routing information that allows internet-connected machines to find other connected systems). However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV etc ...

Well.. will we see big problems around the first of April?
I personnally don't think so.
Will the internet go down? Of course not...
Maybe it will be biggest April 1st joke we will see this year
but please may I call the media at least not to hype this.

If you're using a Kaspersky product and you patched you're systems you don't need to worry and that's problably the most scary part ... there all still a lot of corporates which don't patch their systems. Will they never learn? That should be the message for the media and press. Kaspersky will come up also with an official statement soon as several other vendors are also doing.
At least all experts and vendors are monitoring the situation.
And like I've said before, please don't hype the situation.

You can find a removal tool at this page.

(I'm writing this at the end of Infosecurity Belgium which was fantastic BTW. I've met hundreds of people, friends and even Kim Gevaert but that's for another blog later.)