T-minus two days...Ready or not, here comes Conficker

The computers -- over a million of them at last count, it is believed -- are in place. The Microsoft vulnerability making it all possible has been patched by, presumably, everyone who's going to do so. The poisonous code itself has been upgraded. We've seen the effect of the early tests, we've pondered the bounty on the developers' heads, and yet we've got to start asking ourselves: What's going to happen when Conficker lights up on Wednesday?

Wouldn't you like to know. Wouldn't a lot of people like to know.

While the rest of the world was filling out its brackets and wondering why Madonna needs to adopt another kid, the unknown perpetrators of Conficker have been busy polishing their botnet -- though "botnet" at this point feels like a rather inadequate word. After several code updates, Conficker's got at least 50,000 sites available for remotely controlling its activities, whatever they turn out to be.

Estimates of the number of affected machines vary. Fortinet's monthly threat analysis, released Friday, says that Conficker's the fourth most common infection this month -- though down a bit from its peak infection day on February 12. Microsoft hasn't released a new infection estimate since that day (coincidentally, the day on which the company announced that $250,000 reward for information leading to the capture of Conficker's keepers); they said that 3 million machines were infected at that time.

Not only is the number of infected machines quite high, the number of machines that can be used to control them has skyrocketed -- a crucial part of why Conficker (a.k.a., Downadup or, occasionally, Downandup) so nasty. An earlier victory by anti-Conficker researchers, in which 250 sites under the control of the malware were recaptured, was obliterated a week later when Conficker's keepers tweaked the code. Now it can tap 50,000 sites -- and there's virtually no chance of shutting those down.

(Microsoft, by the way, won't even discuss how many hosts are infected; as Christopher Budd, security response communication lead for Microsoft, puts it, "While Microsoft and ICANN are monitoring several data points, by revealing these numbers, the criminals' attack could be aided and so it is in the best interest of our customers to not release these figures at this time.")

That specific version, called Conficker C (or Downadup.C or, to one's everlasting confusion, Conficker.D), also has the ability to knock out various anti-malware programs as well as Microsoft's security update abilities. Fortinet analysts note that the C version deploys a new domain generation algorithm, and uses MD6 (an enhanced cryptographic hash function) to check that its code is valid. Overall, experts say, Conficker's writers are diligent, smart, and keeping a close eye on efforts to take their baby out of commission. (SRI International, which has engaged in close analysis of Conficker C for weeks, has a fascinating analysis posted, complete with flowcharts.)

Those efforts vary. Some keepers of top-level domains, such as Canada and its Canadian Internet Registration Authority, hopes to mitigate the attack's effects on its sites (and reputation) by registering and isolating domains it believes the Conficker software might try to generate. Doing so will block Conficker from setting up sites to host the command-and-control software that directs infected machines. Microsolved is offering a free honeypot that can spot and document Conficker probes or scans (Linux only, folks), and other groups are announcing tools and detection strategies as the day nears.

And the coalition of companies that came together a few weeks back is still racing the clock, updating their site over the weekend. The Conficker Working Group (formerly the Conficker Cabal) has also freshened its FAQ, noting therein that the only thing we definitely know about April 1 and Conficker is that the malware will switch to a new algorithm to determine which domains infected machines should contact for further instructions.

So what the heck is it? What does it want from us? Why are we in a situation not unlike the landing scene in The Day The Earth Stood Still? The currently dominant theory about Conficker is that it's the malware equivalent to cloud computing -- big space, big capacity, for hire, for bad guys. Most botnets are run for financial gain, so maybe we're on the cusp of some big theft or fraud effort; more darkly, a botnet this big and hard to eradicate could be used for cyber-attacks on nations or against the net at large. That doesn't necessarily happen on Wednesday; again, the only thing known to happen on Wednesday is the algorithm change... and a lot of jangly nerves while we wait and watch.

And a very happy April Fools' Day to you too!

[Pair of Iberian worm lizards (Blanus cinereus)) pictured courtesy of Richard Avery, via Wikimedia Commons.]