So April 1st was supposed to be the day that conficker showed up and did whatever it was going to do.  Well…. nothing happened.  Or did it?  Did your IT organisation have meetings about contingency should anything happen?  Were your nerds worried about everything going crazy?

We certainly had those meetings, and were worried about what would happen if things did explode.  Isn’t that part of the payload?  Just like the old spam emails which would ask to “forward to everyone that has ever looked at your or kittens will die,” isn’t the payload the time that people have to waste dealing with it or preparing for, well in this case nothing?

I’m not convinced that conficker is done yet, I’ve already mentioned that I think this is the smartest virus that there has ever been, and I can’t help but think its author would like to do more than just cause people to be a little worried.

The worm patches itself – current variant C infected machines have auto-updated themselves from the earlier A and B strains.  The code is wrapped up so make it awkward for anti-virus engineers to reverse engineer it to work out what it is going to do.

All the April 1st noise was about infected hosts checking in with 500 different URLs, apparently randomly selected from a ‘random’ daily list of 50,000 possibles.  We heard that AV vendors and filtering companies had worked out the generation algorithm and between them they’ve been buying up these domains as well as categorising them so that computers protected by their AV or web filtering will not be able to reach the URLs.

I shall continue to watch with interest as conficker evolves.  For the sake of the infected folks out there I hope it turns out to be a gun with a flag in it with “bang” written on.

Schools in Kent appear to be suffering quite a bit with the conficker / downadup virus.  This first sentence immediately signifies a problem with the anti-virus community – different AV vendors give different names to the same virus.  F-Secure describe the virus as downadup, Sophos, Symantec and McAfee all describe it as conficker.  Some other vendors call it something different from either.  If there was a universal name for every virus it would be simpler to convey messages to the public – AV industry, fix this.  Decide on a standard and move on.

The conficker virus spreads using mapped network drives, portable storage devices (USB keys, camera flash memory etc), a vulverability in Windows (patched by Microsoft in October), network admin shares with weak passwords, an HTTP server generated by the virus itself.  It’s a comprehensive virus, as smart as I’ve ever seen.  It’s spreading very fast too, currently estimated at over 10 million hosts.

What is worrying people is that other than propagating itself and preventing access to security update sites (the virus prevents access to Windows update and anti-virus updates to try to prevent you from removing it) is that there is currently no payload to the virus – it doesn’t actually do anything.  Viruses usually affect some kind of activity upon their hosts.  In years gone by you had the Blaster worm which attempted to bring down the Microsoft Windows update site and would restart computers, and the Netsky family of worms which disrupted the user experience.  The reason the conficker virus is worrying is that with 10 million hosts infected, if its author decides to affect a payload, the effects could be devastating – these hosts are sitting awaiting further instructions from their creator .  Imagine 10 million people trying to access the same website at the same time.  This is known as a distributed denial of service attack, or DDoS.  Whatever the chosen target is for the attack will be brought to its knees.

I’m awaiting the continued story of this virus with interest.