Life After the Conficker Worm-Why You Should be Worried

April 1st, 2009 is now gone without a hitch. And despite all the hype around the now world-famous Conficker worm (see the CBS 60 Minutes special, the minute-by-minute war room report from Wired) the damage done by the worm appears to be rather limited. There is no massive outbreak; no meltdown. Armageddon? End of the world? Overstated?

While many people quickly wrote off Conficker worm as a pure hype and brushed it aside, we believe that people should in fact be worried that the Conficker worm remained rather dormant and did not cause any massive damage as predicated. There are two reasons for this cautionary note: one social and one technical.

First, The lack of activities by the Conficker worm on April 1st exemplifies the new kind of threat that average users must constantly be aware of: new breeds of malware tend to remain stealthy and perform malicious activities without triggering users' suspicion. Gone are the days of the Slammer worm, the Blaster worm, where the goal of the malware is to infect as many systems as possible in a short amount of time and subsequently cause massive network problems through DDOS attacks. Today, the majority of the malware are designed with financial goals in mind: steal user ids, passwords, account numbers, and so on. In the case of the Conficker worm, the fact that the worm stayed off the radar should cause concerns not only to security researchers but also to average users.

Second, from a technical front, the Conficker worm demonstrates how sophisicated modern-day malware has become. To give a highlight of the capabilities of the Conficker worm (across of all known variants):

• It has built-in digital signature verification algorithms to verify the authenticity of the malware binary
• One variant even uses MD6, one of the newest hashing algorithms around
• The binary is encrypted/packed
  
• It has the ability to update itself securely
  
• It makes extensive use of anti-debugging techniques
  
• It can terminate/block well-known security software
  
• It can automatically scan for and infect other systems
  

The folks at SRI has published an excellent in-depth analysis of the Conficker worm and it is well worth a read.

Because the Conficker worm can update itself automatically, the capabilities of the worm can change as demanded by the people behind the worm. Install a key logger? Sure. Hijack your web traffic? No problem. Steal some user data? Easy. The options are almost endless. And we will certainly see more variants of the Conficker worm in the future.
And, more importantly, they will run silently in the background.

New Variants of the Storm Worm invade on Valentine’s Day

On Valentine’s day (February 14th) 2009, a massive outbreak of the storm worm flooded the internet with millions of spam emails that contain links to malicious websites which, when visited, will infect a user’s computer with the storm worm. Although the storm worm was first discovered on January 17th, 2007, it has a remarkable long life because the incredible number of variants it has (over 50,000). This time is no different as new variants of the storm worm were released to the wild through malicious web sites.
Following is part of a spam email sent by the storm worm:

Subject: A Valentine card for you!
From: “Neddie”
Date: Sat, February 14, 2009 5:36 am

Neddie wants to show you an electronic greeting card and wrote to you:
“I Just Called To Say I Love You”

It is waiting for you at our card site, go ahead and see it:
http://oehee.valentinesupersite.com/?cardid=a36c434555dc7c289e165ea050
The greeting card will be stored for you for 14 days.

If a user clicks on the link in the email, they will be brought to a web site that either directly downloads the malware onto their computer or prompts the user to download the malware disguised as an electronic valentine’s day card. The file is aptly named “lovekit.exe” or “postcard.exe” so that the user will not become too suspicious. Once running, the malware will make following changes to the Windows’ registry settings so that the malware will be automatically started each time the system is started:

• HKLM\software\Microsoft\Windows\CurrentVersion\Run:promoreg=[location of the malware]
• HKCU\software\Microsoft\Windows\CurrentVersion:MyID

Because the variants are previously unseen, most of the signature-based Anti-Virus products were not able to detect the worm as of Febuary 16th, 2009 –two days after the new variants were released (see Picture 1). This underscores the difficulty traditional signature-based AV vendors have to face:


As we can see, a large majority of the Anti-Virus products were not able to detect this new storm worm variants more than 48 hours after the initial worm was reported in the wild.