Life After the Conficker Worm-Why You Should be Worried

April 1st, 2009 is now gone without a hitch. And despite all the hype around the now world-famous Conficker worm (see the CBS 60 Minutes special, the minute-by-minute war room report from Wired) the damage done by the worm appears to be rather limited. There is no massive outbreak; no meltdown. Armageddon? End of the world? Overstated?

While many people quickly wrote off Conficker worm as a pure hype and brushed it aside, we believe that people should in fact be worried that the Conficker worm remained rather dormant and did not cause any massive damage as predicated. There are two reasons for this cautionary note: one social and one technical.

First, The lack of activities by the Conficker worm on April 1st exemplifies the new kind of threat that average users must constantly be aware of: new breeds of malware tend to remain stealthy and perform malicious activities without triggering users' suspicion. Gone are the days of the Slammer worm, the Blaster worm, where the goal of the malware is to infect as many systems as possible in a short amount of time and subsequently cause massive network problems through DDOS attacks. Today, the majority of the malware are designed with financial goals in mind: steal user ids, passwords, account numbers, and so on. In the case of the Conficker worm, the fact that the worm stayed off the radar should cause concerns not only to security researchers but also to average users.

Second, from a technical front, the Conficker worm demonstrates how sophisicated modern-day malware has become. To give a highlight of the capabilities of the Conficker worm (across of all known variants):

• It has built-in digital signature verification algorithms to verify the authenticity of the malware binary
• One variant even uses MD6, one of the newest hashing algorithms around
• The binary is encrypted/packed
  
• It has the ability to update itself securely
  
• It makes extensive use of anti-debugging techniques
  
• It can terminate/block well-known security software
  
• It can automatically scan for and infect other systems
  

The folks at SRI has published an excellent in-depth analysis of the Conficker worm and it is well worth a read.

Because the Conficker worm can update itself automatically, the capabilities of the worm can change as demanded by the people behind the worm. Install a key logger? Sure. Hijack your web traffic? No problem. Steal some user data? Easy. The options are almost endless. And we will certainly see more variants of the Conficker worm in the future.
And, more importantly, they will run silently in the background.