Conficker AKA Downadup AKA April Fool's Worm
With just hours to go before the widespread Conficker worm is expected to activate, researchers say they're relying on new efforts to help mitigate the risk and detect the worm itself.

And not a moment too soon. The worm, which is also known as Downadup, Kido, Confick and the April Fool's Day worm, is creating a vast botnet with an as-yet-unknown purpose. One of the few facts researchers know about the worm is that it's designed to begin seeking out new orders from its creators on April 1.

Technology vendors are actively doing what they can to ensure that the worm is detected and blocked -- a massive undertaking that's yielded some staggering statistics as the industry locks down botnet-controlled domains and hunts infected PCs.

"We have blocked over 300,000 names so far in the domains that we support," Heather Read, senior director for communications at top-level domain (TLD) operator Afilias, told "We expect that, over the course of the year, this number will be significantly more, likely in excess of one million names."

Afilias is a member of the Conficker Working Group, which brings together TLD (top level domain) operators, industry leaders like Microsoft and ICANN, and security researchers.

Involving members of the domain community like Afilias, which currently supports 15 TLDs, could be critical to helping stop the spread of Conficker. The latest variants of the worm use randomly registered domains as part of its command-and-control network.

"The belief is that if we prevent the registration of these domains, we will deprive Conficker's creators with Internet resources that they could potentially use to control and update the botnet," Read said.

How many infections?

Aside from its domain-based command-and-control network, Conficker at its most basic level is a Windows PC-based worm that affects consumer desktops. And given the massive rate of Conficker-controlled domains, it's no surprise that plenty of systems have been hijacked.

According to Jeffrey Shipley, manager of intelligence collection and analysis at Cisco Security Research and Operations, Conficker's infection rates are relatively low in the U.S., while higher in other areas.

Shipley told that the Conficker.C worm has infected about 10 million Windows-based computers in 150 countries, with China's level of infection estimated at 3 million, Brazil at 1 million and Russia at 800,000. In the United States, researchers suspect about 200,000 computers have been infected.

"While most enterprise customers have seen low infection levels, certain customers have seen more significant issues," Shipley said. "In particular, environments with loosely managed computers have been hard hit. Examples include hospital environments in which computers are unpatched for extended periods, and technologies such as IPS (define) and CSA [Cisco Security Agent, an endpoint security and antivirus solution] may not have been deployed."

Scanning for Conficker

Like the worm itself, identifying Conficker is an evolving task, researchers say. For the most part, until today, Conficker infections have been detected by local users who update their PCs and run antivirus software.

As of today, however, researchers have developed new remote scanning technologies that can identify if Conficker is running on a particular network. Nessus, nmap, McAfee and Qualys are among the vendors deploying the technology, thanks in part to an effort led by the Honeynet Project, a nonprofit security research effort.

For security vendor Qualys, the new detection method is being baked into its QualysGuard scanner.

"This new detection method allows IT administrators to remotely detect the Conficker virus directly on the infected machines without needing credentials or an agent installed," Wolfgang Kandek, Qualys's CTO, told "For many large enterprises, this represents an opportunity to perform a quick and nonintrusive audit of their patching efforts. Before the release, we were depending on having the credentials to the target machine for our Conficker detection."

Detecting Conficker remotely is a matter of identifying the "fingerprint" that it leaves behind, Kandek said. According to him, Conficker leaves a mark on infected machines that can be detected remotely by using special RPC (define) calls.

What happens on April 1?

Conficker has only been around since October at the earliest, which is when Microsoft released an out-of-band update to patch a vulnerability on which the worm now preys.

That brief lifespan hasn't made it any simpler for researchers to figure out Conficker's plans ahead of its April 1 update.

"Based on Microsoft's technical analysis, we've determined that systems infected with the latest version of Conficker (Conficker.D) will begin to use a new algorithm on April 1, 2009 to determine what domains to contact," Christopher Budd, security response communications lead for Microsoft (NASDAQ: MSFT), told in an e-mail. "We have not identified any other actions scheduled to take place on that date."

In the meantime, researchers have plenty of theories on what might take place on April 1.

"Currently the major threat is that Conficker can download new programs that it will execute on command by its controllers, and we do not know what these programs will do," Qualys' Kandek said. "In addition, the authors of Conficker have shown that they have the ability to quickly turn out new versions of Conficker -- these need to be analyzed each time from scratch, so we are at a disadvantage."

Still, Kandek does not expect any problems on April 1 -- at least, in terms of Conficker disrupting communications by "phoning home" for instructions. From his code analysis, he surmised that Conficker.C is rather "gentle" in its communication mechanism, set for activation on April 1.

"This makes a lot of sense, as the creators of the worm are not interested in disruption," he said. "They want their worm to be as successful as possible, [keeping] their network of machines healthy and to grow it if possible."

For the moment, researchers are celebrating their successes against the worm. For instance, Microsoft's Budd noted the effort with domain name system operators has proactively disabled a significant number of domains targeted by Conficker to disrupt the use of the worm and prevent potential attacks.

Still, he warned, "This disruption was not meant to be an end-all solution to the Conficker worm," Budd said.

Microsoft also continues to advise its users to update their PC and ensure they are running up-to-date antivirus software.

"However, as this threat continues to evolve, Microsoft and other collaborative companies will continue to identify new ways to disrupt the Conficker threat to give customers more time to update their systems," Budd added.