To hear some media outlets talk on Tuesday, one would have thought that the Apocalypse was closing on the world like Jaws on an innocent swimmer. Havoc, mayhem, hemorrhoids, male pattern baldness — just about everything imaginable was supposed to break loose yesterday as the Conficker worm came crawling out of its hole. Why, then, is Preparation H stock up a mere quarter-point and we all still have our hair?
Humor and vasoconstrictors aside, why didn't the gigantic boom we were all told to expect materialize? According to experts, they don't know. What members of the Conficker Working Group are sure of is that money, not mayhem, is at the root of the worm, and those behind it will eventually use it for spamming, DDOS attacks, or to pilfer private information. Security company Finjan's Cybercrime Intelligence Report estimates a single author could make nearly $4 million per year through a botnet of the sort Conficker establishes.
Contrary to what some have suggested, the worm did, in fact, do what it was expected to do — it activated, giving the worm-masters full administrator-level control over some five million infected PCs, and making itself much more difficult to detect and fight. The worm generates URLs by which the master computer communicates with infected machines, constantly staying ahead of the efforts of security experts to shut them down. Beginning yesterday, the botnet began communicating over 50,000 domain names in 116 countries — a dramatic increase over the 250 URLs used by previous versions of the the worm.
While many of the same media organizations that were predicting death, doom, and destruction switched to mocking the worm's lack of dramatic explosions, experts say whomever is behind the worm is likely biding their time. Said Lumension Security's Paul Henry: "They'll wait for the hype to subside...They'll wait for everyone to stop watching, and they'll take it for a test run. They've put together one hell of a botnet here, and they're going to want to exercise it."
As for the April 1 date, researchers say it could have been a sick joke or attempt by the author to get attention, intended to induce exactly the kind of brouhaha that took place. What it definitely did, though, was bring heightened awareness of the worm, and reduced the number of infections by an unknown figure. Experts urge anyone who has not done so already — especially those in government, corporate, and education settings, where patching is often neglected, according to Roger Thompson of Exploit Prevention Labs — to scan their systems for the worm, install the patch for MS08-067, and pass the word along.
And just in case you missed it, Linux Journal's own Associate Editor Shawn Powers covered how to detect Conficker using Linux tools on Tuesday, right here on LinuxJournal.com.