For HomeFor BusinessFor Partners
Archive
2 min read

Conficker April Surprise

Răzvan STOICA

April 03, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Conficker April Surprise

The virus posesses two main update mechanisms.

The most visible is the HTTP or web mechanism whereby each infected machine checks
500 of the 50000 possible update URLs every day, for a neat 1 in a hundred
chance to get an update. This mechanism is obviously pretty slow, by itself,
but its speed does not depend on the number of machines which are infected. If
one of the links remains up and serving the update for a hundred days, the
whole virus network is updated.

The P2P update system is less visible. Its only requirement is to somehow introduce
on the Internet a new machine (or several hundred) which are already updated
and accessible from anywhere.

One could do so by using an alternate infection mechanism such as malicious e-mail
or a trojanized version of the virus planted on a file sharing network or even,
for spy-movie drama, by leaving a USB drive which contains the virus unattended
on a park bench.

Using this system, an infected machine checks arround 600 IP addresses(of the total
of roughly 3.3 billion usable IP addresses) every hour, in an attempt to find
other infected machines which have more recent code and update itself.

Now, let’s assume a network of 10 million infected computers (a pessimistic estimate),
of which only one runs an updated version of the virus. The probability for an
infected machine to find the single existing updated machine, in the first try,
is 1 in three billion.

It seems vanishingly small, but we have 10 million machines to play with, 600 tries
per hour each (or a total of 6 billion tries), so we can be very sure that the
updated code _will_ be found within the hour.

The simple, scary logic of exponential growth then takes over. Finding one of two
machines is twice as easy, one of four even easier and the ball keeps rolling
until, using this system, the entire network could be updated in just 16 hours
or thereabouts. A smaller network will take longer, but not much longer.

Combine the two systems (I’ll spare you, again, the gory mathematical details) and you
get an approximate time of 9 hours for a full 10 million-strong network update.

But is the speedup of using the HTTP mechanism worth it, from a virus writer’s
point of view? Considering that every security researcher and company worth
their salt is monitoring the 50000 URLs, no, not really.

It’s vastly more probable that the author or authors are keeping the http option in
reserve and relying on P2P for regular updates.

Conficker is here to stay, in other words. Our only valid options, as always, are to
immunize everyone against new versions and to slowly clean up the
already-infected hosts.

 

tags

Archive

Author

Răzvan STOICA

Răzvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. Recruited by Bitdefender in 2004 to add zest to the company's online presence.

View all posts

Right now Top posts

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide
Scam Spam

Spam trends of the week: Crypto giveaways, false prophets, Fintech phishing scams and more hit user inboxes worldwide

April 19, 2024

5 min read
Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond
Scam How to Tips and Tricks

Start Cyber Resilience and Don’t Be an April Fool This Spring and Beyond

April 01, 2024

2 min read
Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts
Spam Industry News Threats

Spam trends of the week: Cybercrooks phish for QuickBooks, American Express and banking accounts

November 28, 2023

4 min read
Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting
Protecting Your Important How to Tips and Tricks

Protecting your important: Stick to these 8 cybersecurity tips for safe Black Friday and Cyber Monday deal hunting

November 08, 2023

4 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

How to keep your Android device immune to malicious vaccine themed apps
Archive

How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine
Archive Industry News

Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands
Archive

Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read

Bookmarks

loader