With April 1 drawing nearer, the Conficker fear has really started to set in. As security experts endeavor to reveal the origin of the virus, others are trying to figure out a method to detect the virus and neutralize the sense of impending doom.
As of Monday, it looks like there’s progress on both fronts. According to the Register, experts have discovered that the malware leaves a fingerprint on machines which is easy to detect using off-the-shelf scanners. While previous methods of detecting the virus have been extremely arduous, this discovery means that admins now have easy-to-use use tools with which to identify infected machines in their networks. The Reg goes on to report that as of mid-Monday, signatures will be available for at least six network scanners, including the Nmap, McAfee's Foundstone Enterprise and Nessus.
Meanwhile, back at the ranch, those desperately seeking information about the virus or where it came from also seem to be making headway. CNet reports that in response to Microsoft’s offer of a bounty amounting to $250,000 for information leading to an arrest, personnel at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, said Monday that they found clues that the virus may have originated from China. Previous reports speculated that the virus came from Russia or Europe.
With over ten million PCs infected, the Conficker worm is supposedly lying dormant awaiting further instructions. Both F-Secure and Sophos say that although the Conficker worm will do something on April 1, triggering a global virus attack is highly unlikely. In fact, the worm will merely contact its growing network to receive updates, perhaps even change its operation.
"So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing," said F-Secure.
The security firm also said that the latest version is not the most common Conficker worm. In fact, most of the contaminated machines are infected with the B variant that became widespread back in January. According to F-Secure, the B variant will not be updating on April 1, however the new variant might do something new.
"We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do," F-Secure added.
With the level of panic flying around at the moment we’re more inclined to believe that the panic itself is more contagious or dangerous than the worm. For now, we’ll treat it seriously but not take it seriously. Expect the best but prepare for the worst, and all that.