Questions and Answers: Conficker and April 1

Original author: Mikko
  • Transfer
Conficker and downadupNow on the Internet there are many rumors that something terrible will happen on the first of April. Conficker (Downadup, Kido) will begin to use the new domain determination algorithm to send updates, so many people come up with all sorts of fables, up to the "end of the Internet." Some comrades even advise you not to go online on April 1st.
Yesterday, our guys published a FAQ about this on the F-Secure blog, and here I bring his translation. Read to avoid panic and know what exactly will happen on April 1st.

Q: I heard that something very, very bad will happen to the Internet on April 1st. Is that so?
A: No, not really.

Q: Seriously, the Conficker worm will start doing something bad on April 1st, right?
A: Conficker aka Downadup will slightly change its algorithm of work, but this is unlikely to lead to any visible changes on April 1st .

Q: So what will happen on April 1st?
A: Now Conficker generates 250 different domain names every day and tries to download the update program from them and run it. On April 1, the latest version of Conficker will start choosing 500 of 50,000 domains every day for the same purpose - downloading and launching files.

Q: The latest version? Are there several different versions of chtoli?
A:Yes, and the latest version is not the most common now. Most infected computers are now infected with Option B, which began spreading in January. And the behavior of this option B will not change anything.

Q: I just checked that my Windows machine is not infected. Will anything happen to my computer on April 1st?
A: No!

Q: I have a Mac, will something happen to my computer?
A: No!

Q: So, does this mean that hackers can use this new channel to download and run any program on all machines?
A: Yes, on all machines that are infected with the latest version of the worm.


Q:But what is this peer-to-peer download functionality I've heard about?
A: The worm has peer-to-peer functionality, which means that infected computers can communicate with each other without the need for a server. This allows the worm to update itself even without registering one of 250 or 50,000 domains.

Q: But does this mean that if the “bad guys” wanted to run something on infected machines, they would not have to wait until April 1st?
A: Yes! And this is another reason why it is unlikely that something bad will happen on April 1st.

Q: Will serious hype in the media be raised?
A:Oh yeah! As always, when some widespread worm has a trigger date. Remember the cases with Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004), and Blackworm (2006).

Q: But in those cases, nothing special happened, despite the fact that everyone expected that something would happen!
A: Exactly!

Q: So, should I turn off and not turn on my computer on April 1?
A: No. But you have to check and be sure that your computer is not infected.

Q: Can I just change the date on my computer and thereby protect myself?
A: No, of course. The worm uses local time for several of its functions, but it does not rely ONLY on the time on your computer.

Q:I'm confused. How can you be sure in advance that there will be no global virus attack on April 1st? You must be hiding something!
A: Yes, you are embarrassed. There will be no “global virus attack." Cars that are ALREADY infected can start doing something new on April 1st. We know this because we have studied the worm code and can see that this is exactly what it is programmed for.

Q: Will the program downloaded by the worm run with administrator privileges?
A: Yes, with local administrator privileges. Which is very bad!

Q: And this worm can download the update not only on April 1st, but any day after that?
A: Exactly. So there is no reason why they will not be able to do this, say, on April 5, and not on the 1st.

Q: OK, they can run the program on the infected computer. But why? What will this program do?
A: We do not know what they plan to do, if at all they plan something. Of course, they can steal your data, send spam from your computer, do DDOS attacks on other computers and servers, and so on. But we do not know what exactly they are going to do next.

Q: They? Who are they? Who made this worm?
A: And we don’t know that either. But they look very professional judging by what they do.

Q: Professionally? Is it true that Conficker uses the MD6 hash algorithm ?
A: Yes.This is probably the first program that uses this new algorithm!

Q: Why you yourself cannot infect your computer, set the clock to April 1st and check what happens?
A: Because it won’t work like that. The worm connects to some websites to find out today's date and time.

Q: Really? Then turn off these sites and the problem will disappear!
A: We can’t. These are sites like google.com, yahoo.com and facebook.com.

Q: No, seriously, you can pick up your google.com in your laboratory, install it on April 1 and check everything!
A:We can. But the sites from which the worm will try to download something on April 1st have nothing now! They may have something on April 1st. Or they may not.

Q: Now I'm thrilled. How do I know that I am infected?
A: Try visiting www.f-secure.com . If you cannot access our site, then you are probably infected, because Downadup / Conficker blocks access to the sites of anti-virus companies. Do not tell anyone, but those who can’t access f-secure.com because of the virus can go to specials. mirror www.fsecure.com .

Q: Where did the name “Conficker” come from?
A: Conficker is a kind of anagram from the word trafficconverter - the site to which the first version of the worm was connected .

Q: Why does the worm have several names - Downadup, Conficker, Kido?
A: The virus was found at about the same time by several anti-virus companies and in each of them they called it by its own name. Now most companies use the name Conficker. But now the confusion continues with the name of the new modifications between the companies. We all regret it.

Q: How many computers are now infected with the Downadup / Conficker worm?
A: About 1-2 million. How many of them are infected with the latest version? We do not know the exact number.

Q: How does the antivirus industry react to all of this?
A: We reacted by creating the Conficker Working Group. The group includes representatives of antivirus manufacturers (including us), registrars, researchers, etc.

Q: I want to know more technical details about the worm.
A: Of course. Here is our description (eng) , and here is an excellent description (eng) . And here is my description in Russian .

Q: When was the first Downadup / Conficker option discovered?
A: It was found on November 20, 2008.

Q: More than 4 months ago? I want to see the timeline of what happened in these 4 months.
A: Byron Acohido wrote about this .

Q: Can anti-virus from F-Secure detect and cure this worm?
A: Of course.

Q: Do you have a special program for treating a worm ??
A: Yes, and it is free. Download it from here .

Q: Are you going to continue to monitor this further?
A: Yes. Stay tuned for more information.




Also popular now: