Conficker Worm Attacks, Morphs

Malware infects Univ. of Utah and reveals money-making scam.

April 13, 2009— -- The sophisticated Conficker worm has infected about 800 computers at the University of Utah, campus officials said today.

The outbreak was first detected Thursday and, by Friday, had spread to computers at the hospitals, medical school and colleges of nursing, pharmacy and health.

Chris Nelson, a University of Utah health sciences spokesman, said that patient data and medical records had not been compromised because they are protected more securely.

The outbreak was still active this morning, although it has been contained, he said.

"It's still presenting itself, but we're able to manage it in a much more localized way," said Nelson, adding that school officials believe they contained it before it jeopardized personal information.

The university's office of information technology notified the campus and advised faculty, students and staff on how to protect their computers and has been aggressively cleaning infected machines.

'Pesky' Virus Returns Even After Computer Is Cleaned

But Nelson said the virus is "a pesky little thing" that manages to return even after it has been wiped off a computer.

Still, he said the IT office is carefully monitoring the system and will continue to do so for the next 30 days.

Nelson said that some of the infiltrated computers started to slow down but many others did not show any evidence of the infection.

Installs Fake Anti-Virus Software to Make Money

Security experts also say that Conficker has adapted to become more efficient and earn its keep.

"It's using itself to make more money, to monetize," said Kevin Haley, director of Internet security firm Symantec's security response team.

The worm is dropping a piece of malware that pretends to be a anti-virus program called Spyware Protect 2009. He said the rogue program displays a message telling the user that the computer is infected and offers to clean it up for $49.95.

The program is not spyware removal software but only a ploy to obtain credit card information.

Conficker Has Infected Millions of Computers Around the World

Conficker's origins and purpose are unknown, but computer security experts say it could make an electronic mess as it spreads from one computer to another, taking over machines and commanding them to do things their users never intended.

"We've got some bad guys out there who are extremely sophisticated," said Merrick Furst, a professor at Georgia Institute of Technology who also chairs an Internet security firm called Damballa. "There are a huge number of machines that might be able to be controlled by people other than the owners of those machines."

Conficker is a small computer program that has made its way around the world, probably infecting millions of computers that run on Microsoft Windows.

It is not, strictly speaking, a computer virus. Instead, it may link an infected computer with others as if they were one giant, coordinated machine, known to computer scientists as a botnet.

Adapts to Defenses Created by Security Community

The program automatically turns off various security settings built into Microsoft Windows. It seems to block users from going to major Web sites that provide anti-virus protection. And -- maddeningly -- it contains instructions for infected computers to contact a control system, somewhere out there in cyberspace.

"The big thing that makes this one creepy is that it's adapting to the defenses that the security community is putting up," said Dan Kaminksy, a computer security consultant for Seattle-based IOActive, Inc.

Will it affect your personal computer at home? Kaminsky said probably not. Instead, security experts suspect it will go after corporate networks, especially if they run older versions of Windows.

Computers that run on Apple's operating systems, or on the free system Linux, are apparently not affected.t is hard to say how many computers are affected. Estimates range from 9 to 15 million computers, though there is little agreement among computer scientists.

Microsoft Offers Reward for Information

At Georgia Tech, Furst said he has heard estimates that 3 percent to 5 percent of the computers at Fortune 500 companies might have some form of a so-called "malware" like Conficker, which makes it possible for outsiders to control them or mine data from them.

Conficker seems to spread more easily than previous computer viruses. It may be embedded in other software. If it happens to get into software you have stored on a so-called thumb drive -- the small memory devices you can plug into a computer's USB ports -- it contains code to activate automatically when it senses that the thumb drive has been plugged in.

Microsoft is worried enough that it has offered a $250,000 reward for information leading to the arrest of Conficker's creators. And ICANN, the international organization that hands out addresses on the World Wide Web, has gotten a dozen universities and computer-security organizations together to stamp out the bug. They refer to themselves informally as the Conficker Cabal.

"The important thing to recognize is how much better things have gotten in this space," said IOActive's Kaminsky. In 2003, he said, worms took down entire networks. But, in 2009, we won't see that, he said.

"Infection rates are much lower than they would have been if this had happened in 2003," Kaminsky said.