The Conficker worm (also known as Downadup.AD) appeared last October targeting (surprise! surprise!) Microsoft Windows vulnerabilities common to 2000, XP, Vista, et al.
It has contaminated more than 9 million PCs worldwide, hitting 1.1 million on a single day last January. Conficker has shut down the operations of the French Air Force, 24 RAF air bases, and 75% of the Royal Navy, and infected hundreds of computers serving Germany’s Bundeswehr and Defense Ministry.
New York Times:
The program grabbed global attention when it began spreading late last year and quickly infected millions of computers with software code that is intended to lash together the infected machines it controls into a powerful computer known as a botnet.
Since then, the programâ€™s author has repeatedly updated its software in a cat-and-mouse game being fought with an informal international alliance of computer security firms and a network governance group known as the Internet Corporation for Assigned Names and Numbers. Members refer to the alliance as the Conficker Cabal. …
An examination of the program reveals that the zombie computers are programmed to try to contact a control system for instructions on April 1. There has been a range of speculation about the nature of the threat posed by the botnet, from a wake-up call to a devastating attack.
Researchers who have been painstakingly disassembling the Conficker code have not been able to determine where the author, or authors, is located, or whether the program is being maintained by one person or a group of hackers. The growing suspicion is that Conficker will ultimately be a computing-for-hire scheme. Researchers expect it will imitate the hottest fad in the computer industry, called cloud computing, in which companies like Amazon, Microsoft and Sun Microsystems sell computing as a service over the Internet. …
Several people who have analyzed various versions of the program said Confickerâ€™s authors were obviously monitoring the efforts to restrict the malicious program and had repeatedly demonstrated that their skills were at the leading edge of computer technology.
For example, the Conficker worm already had been through several versions when the alliance of computer security experts seized control of 250 Internet domain names the system was planning to use to forward instructions to millions of infected computers.
Shortly thereafter, in the first week of March, the fourth known version of the program, Conficker C, expanded the number of the sites it could use to 50,000. That step made it virtually impossible to stop the Conficker authors from communicating with their botnet. …
A report scheduled to be released Thursday by SRI International, a nonprofit research institute in Menlo Park, Calif., says that Conficker C constitutes a major rewrite of the software. Not only does it make it far more difficult to block communication with the program, but it gives the program added powers to disable many commercial antivirus programs as well as Microsoftâ€™s security update features.
â€œPerhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm,â€ said Phillip Porras, a research director at SRI International and one of the authors of the report. â€œPerhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.â€
â€œIn the worst case,â€ Mr. Porras said, â€œConficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.â€
The researchers, noting that the Conficker authors were using the most advanced computer security techniques, said the original version of the program contained a recent security feature developed by an M.I.T. computer scientist, Ron Rivest, that had been made public only weeks before. And when a revision was issued by Dr. Rivestâ€™s group to correct a flaw, the Conficker authors revised their program to add the correction.
Although there have been clues that the Conficker authors may be located in Eastern Europe, evidence has not been conclusive.
Alarmingly, TrendMicro’s virus encyclopedia entry is “temporarily unavailable.”