Conficker Worm: Computer Chaos?

Conficker computer worm spreads worldwide, keeps updating.

March 25, 2009 — -- Somewhere out there, perhaps in Eastern Europe, perhaps next door to us, a very clever hacker is spreading a sophisticated little computer worm called Conficker.

It could make an electronic mess as it spreads from one computer to another, taking over machines and commanding them to do things their users never intended.

"We've got some bad guys out there who are extremely sophisticated," said Merrick Furst, a professor at Georgia Institute of Technology who also chairs an Internet security firm called Damballa. "There are a huge number of machines that might be able to be controlled by people other than the owners of those machines."

Who is behind this computer attack? And what do they want from us? Are they trying to bring the world's computers to a halt? Or is the whole thing just some elaborate April Fool's joke?

"It's not an April Fools prank," said Phillip Porras, a program director at SRI International, a major technology research firm. "We don't know much about how Conficker is being used. We are not sure why Conficker was built."

Small but Sophisticated

"The vast majority of threats we see today are attempts to steal confidential information. We know there's a large underground economy where personal information is sold," said Dean Turner of the online security firm Symantec.

Conficker is a small computer program that has made its way around the world, probably infecting millions of computers that run on Microsoft Windows.

It is not, strictly speaking, a computer virus. Instead, it may link an infected computer with others as if they were one giant, coordinated machine, known to computer scientists as a botnet.

The program automatically turns off various security settings built into Microsoft Windows. It seems to block users from going to major Web sites that provide anti-virus protection. And -- maddeningly -- it contains instructions for infected computers to contact a control system, somewhere out there in cyberspace, on April 1.

As for whether something will actually happen on that day, there's no saying.

"The big thing that makes this one creepy is that it's adapting to the defenses that the security community is putting up," said Dan Kaminksy, a computer security consultant for Seattle-based IOActive, Inc.

Will it affect your personal computer at home? Kaminsky said probably not. Instead, security experts suspect it will go after corporate networks, especially if they run older versions of Windows.

Computers that run on Apple's operating systems, or on the free system Linux, are apparently not affected.

Conficker Computer Worm: Havoc or Hoax?

It is hard to say how many computers are affected. Estimates range from 9 to 15 million computers, though there is little agreement among computer scientists.

At Georgia Tech, Furst said he has heard estimates that 3 percent to 5 percent of the computers at Fortune 500 companies might have some form of a so-called "malware" like Conficker, which makes it possible for outsiders to control them or mine data from them.

Conficker seems to spread more easily than previous computer viruses. It may be embedded in other software. If it happens to get into software you have stored on a so-called thumb drive -- the small memory devices you can plug into a computer's USB ports -- it contains code to activate automatically when it senses that the thumb drive has been plugged in.

Microsoft is worried enough that it has offered a $250,000 reward for information leading to the arrest of Conficker's creators. And ICANN, the international organization that hands out addresses on the World Wide Web, has gotten a dozen universities and computer-security organizations together to stamp out the bug. They refer to themselves informally as the Conficker Cabal.

"The important thing to recognize is how much better things have gotten in this space," said IOActive's Kaminsky. In 2003, he said, worms took down entire networks. But, in 2009, we won't see that, he said.

"Infection rates are much lower than they would have been if this had happened in 2003," Kaminsky said.

How to Protect Yourself

Computer scientists said most people probably won't notice anything wrong with their machines, even on April 1, if indeed some command is sent by Conficker on that day.

But for safety, Microsoft and other companies are working on a Web site as a go-to place for people who find their anti-virus software has been disabled by the worm. In the meantime, Microsoft has created a software "patch" that people can find HERE if it was not installed in their computers already.

Another useful site set up by Microsoft is called safety.live.com; find it HERE.

Furst said security people are "both afraid and sanguine." They believe they have good protections in place -- but they are not sure what they're up against.

"This one's pretty cutting-edge," he said. "The bad guys are ahead of the good guys."

Ki Mae Heussner contributed reporting for this story.