Tweak in 'Conficker' Sparks Fears

Crime, Law and JusticeCrimeBusinessCompanies and CorporationsEntertainmentTheft

SAN FRANCISCO (AP) - Even if it's not an AprilFools' joke, the latest moves by the dreaded Conficker worm are by nomeans an Internet Armageddon, either.

Theworm's alarming outbreak entered a new phase Wednesday as clocks aroundthe world ticked into the first day of April, the day it was scheduledto change programming.

Butsecurity experts appeared correct in their predictions that the day waslikely to come and go without any major disruptions, even though theworm has infected anywhere from 3 million to 12 million PCs runningMicrosoft Corp.'s Windows operating system.

Computerinfections now are all about making money by stealing people's personalinformation. And Conficker's authors stand to make more money fromrenting out parts of their huge "botnet" to spammers or identitythieves than by destroying parts of the Internet.

"Theseguys have been pretty smart until now - the worm is unfortunately verywell done," said Patrik Runald, chief security advisor for F-SecureCorp. "So far they haven't been stupid. So why should they start onApril 1?"

But panic over the worm had reached a frenzy.

Lori LynnPavlovich, a mother of four from Racine, Wis., unplugged her PC andvowed to stay offline for a week after seeing a local TV news reportabout the worm.

"I getscared real easy when it comes to stuff like that," she said.Pavlovich, who says she keeps her antivirus software and securitypatches up to date, got back online 24 hours later after a relativeassured her that her system was safe.

In thelast six months, the worm has also caused sleepless nights for thetechnicians who maintain corporate and governmental computer systems.European media reported that the French military grounded some of itsfighter planes after the Navy's network was infected over the winter.

Companieswere on high alert to any change in Conficker's behavior that couldaffect their systems. But a lot of the heavy lifting for bigcorporations has already been done. Most large organizations hurried tofix the vulnerability that Conficker exploits long ago - Microsoftreleased a software "patch" for it in October. Many smaller businessesand consumers started worrying about the problem later, making themmore vulnerable to infection.

"Consumersare very, very, very aware of this - more so than I've seen in years,"said Alfred Huger, vice president of Symantec Security Response."Enterprises are certainly aware of this, and they're treating thisseriously, but no more so than other threats they're faced with."

Detectinga Conficker infection is actually very easy. One of the telltale signsis if you're able to navigate the Internet freely but can't accessMicrosoft's site or the sites for the major antivirus software vendors.Conficker's authors included that feature to prevent infected machinesfrom downloading programs that remove the worm.

Thatmakes it harder to get the Conficker removal programs, but notimpossible. Security experts recommend that people with infectedmachines find a friend whose machine isn't infected, and have thatperson download the removal tool and e-mail it to them.

Manycompanies that have already protected their networks from Confickerhave become concerned again because of the publicity the worm generatedin recent weeks as the April 1 change to Conficker's programmingapproached.

MichaelLa Pilla, manager of the malicious code operations team at VeriSignInc.'s iDefense division, said some of his company's customers wereasking for immediate notification about changes to Conficker'sbehavior, instead of the hourly updates that many receive.

The badguys behind Conficker haven't been able to reliably communicate withthe computers the worm has infected. That means they haven't been ableto program the PCs to send spam, carry out identify-theft scams, orperform any other kind of cybercrime.

That haslikely started changing with the dawn of April 1. Now the programmingon the latest version of Conficker tells those infected machines togenerate 50,000 new Internet addresses each day that they can try and"phone home" for instructions. Previously, they had been looking forcommands from just 250 sites each day. The point of the change is tomake it harder for the security community to pre-register thoseaddresses and keep them out of the bad guys' hands.

Microsofthas offered a $250,000 bounty for information leading to the arrest andconviction of the people responsible for Conficker.

Thehoopla surrounding a very arcane change to Conficker's programming codewas reminiscent of the doomsday fears about the Y2K bug, when the dawnof the millennium was thought to threaten computer networks byinterpreting the new year as 1900 rather than 2000.

"Thereare a lot of people who are on standby waiting to see what happens,"said George Kurtz, senior vice president of McAfee Inc.'s risk andcompliance division. "Ultimately, it could be a big event or Y2009 - April 1 rolls around and nothing happens. But that doesn't mean it'sthe end of the story."

On the Web

Conficker Removal Programs

Copyright © 2014, Los Angeles Times