Conficker Worm: Not An April Fools Joke

After analyzing the disassembled code for the Conficker worm, experts have determined that it will strike on April 1, 2009, otherwise known as April Fools Day. The worm has the ability to spread across networks and infect all unprotected computers within that network. In order to counter security measures that either block the spread of the worm or change its contents, the transmission is encrypted and only executes if the signature matches the public key. Originally, the worm created 250 new domains every day across 5 top level domains, which is the extension a website uses (.com, .net, etc.). Each of these domains is then used to send out more copies of the worm to computers within a network. As a countermeasure, TLD registrars (those who assign domains) stopped all traffic to these domains. The creator responded to this by releasing a new version, Conficker.C which will create 500,000 new domains everyday. This prevents TLD registrars from being able to stop all traffic caused by the worm due to the sheer number of domains that need to be blocked.

Even though the disassembly has shown how the worm operates, experts are still unsure what the worm will actually do once it becomes activated on April 1st. This is because the creator took considerable care in scrambling the source code, also known as obfuscating, which makes it difficult to turn assembly code (the code that is used by computers) into a higher level language that is easily read and understood by humans. The worm can prevent important Windows services from functioning, including Windows update, which contains the patch that will fix the exploit the worm is using. It may cause denial of service attacks, or it may simply just be an April fools joke that eats up network bandwidth. Either way, the situation is critical and Microsoft has offered a $250,000 reward leading to the arrest and conviction of those involved with the creation or distribution of the worm.