Conficker Confounded? Good Guys on Case

Conficker Computer Worm 'Tamed'?

Security Groups Say They Have Detection Tool to Stop Conficker

By NED POTTER

March 31, 2009—

The Conficker computer worm -- even if it does nothing much to the world's computer networks -- seems to have created an international state of anxiety. But some computer scientists say they may have the bug under control.

"We pulled off a bit of a coup," Dan Kaminsky, a computer security specialist for the firm IOActive, wrote in an e-mail to us.

What did they do? Well, Conficker, sophisticated as it may be, is really nothing more than lines of code -- letters and numbers, written by hackers -- which Kaminsky and colleagues have been able to read and probe for mistakes. Over the weekend, they report, they were able to create a detection tool that would show computer network operators if their systems had been infected.

"We saw an opportunity to manage the risks that Conficker introduces in a clean, straightforward manner, with just a little bit of work over a weekend. I'm pretty happy it worked out!" said Kaminsky.

You may recall that computer engineers said Conficker seemed quite sophisticated for a piece of so-called "malware." It is not, strictly speaking, a computer virus; instead, it seems designed to get stealthily into people's machines and take control of them en masse -- though just for what, is unclear.

Once it infects a computer, it contains instructions to contact some faraway command center for further instructions April 1. More than one engineer thought it was possible the whole thing was an elaborate April Fool's joke -- though if so, its creator, or creators, went to an awful lot of trouble for very little.

Kaminsky was among the more sanguine members of the "Conficker Cabal," the loosely knit team working on the problem. (They've since renamed themselves the Conficker Working Group.) He thought it quite possible that on April 1, the world would wake up to -- well, to nothing. People called it the "doomsday virus," but Kaminsky said if all those infected computers did, in fact, receive commands from somewhere, they would not exactly explode all at once.

Conficker Worm: 'Doomsday'? Or Hype?

"I wish I could say I'd learned what it's going to do on April 1," he said. "I haven't. We've definitely learned better strategies for tracking infections of this nature."

The working group says it has found how Conficker gets into Microsoft Windows, releasing what appears to be a software "patch" or update that, at first glance, may appear to be Microsoft's own.

But it's not -- and engineers have now sent out commands that will help system operators tell if they're safe. Several groups, including the Department of Homeland Security, have sent out similar software fixes.

Small but Sophisticated

"The vast majority of threats we see today are attempts to steal confidential information. We know there's a large underground economy where personal information is sold," said Dean Turner of the online security firm Symantec.

Conficker is not, strictly speaking, a computer virus. Instead, it may try to link an infected computer with others as if they were one giant, coordinated machine, known to computer scientists as a botnet.

The program automatically turns off various security settings built into Windows. It seems to block users from going to major Web sites that provide anti-virus protection. And -- maddeningly -- it contains instructions for infected computers to contact a control system, somewhere out there in cyberspace, on April 1.

Will it affect your personal computer at home? Kaminsky said probably not. Instead, security experts suspect it will go after corporate networks, especially if they run older versions of Windows. Computers that run on Apple's operating systems, or on the free system Linux, are apparently not affected.

Merrick Furst, a computer scientist at Georgia Tech, said he has heard estimates that 3 to 5 percent of the computers at Fortune 500 companies contain botnet infections like Conficker, though computer scientists concede that it is hard to agree upon real numbers. It's been estimated that Conficker has reached anywhere from 3 to 15 million computers worldwide, though they mostly run older versions of Windows.

"The bad guys are ahead of the good guys," said Furst.

Microsoft has offered a $250,000 reward for information leading to the arrest of Conficker's creators. And ICANN, the international organization that hands out addresses on the World Wide Web, has gotten a dozen universities and computer-security organizations together to stamp out the bug.

Conficker Worm: 'Doomsday'? Or Hype?

"The important thing to recognize is how much better things have gotten in this space," said Kaminsky. In 2003, he said, worms took down entire networks. But in 2009, we won't see that, he said.

"Infection rates are much lower than they would have been if this had happened in 2003," Kaminsky said.

Practical Advice

Computer scientists said most people probably won't notice anything wrong with their machines, even on April 1, if indeed some command is sent by Conficker on that day.

But for safety, Microsoft and other companies are working on a Web site as a go-to place for people who find their anti-virus software has been disabled by the worm. In the meantime, Microsoft has created a software "patch" that people can find HERE if it was not installed in their computers already.

Another useful site set up by Microsoft is called safety.live.com; find it HERE.

Any better idea who created Conficker?

"No clue," said Kaminsky. "Just that whoever they are, they are good at what they do."

ABC News' Ki Mae Heussner contributed to this story.