(Friday, Mar 27 2009)
According to Bkis’ analyses, Conficker Worm’s code is closely related to that of Nimda worm which spread world-widely in September 2001. By that time, Nimda was determined to originate from China by our experts. Therefore, it is almost certain that Conficker has Chinese origin.
The analyses show that the return of this malware may not necessarily be on the 1st of April as in earlier warnings. Conficker’s code has been programmed to activate the new variants updating module from April 1st on. Consequently, the return of the worm can be on any day not just April 1st.
In more detail, starting from April 1st, Conficker will generate 50,000 different domain names each day and search the domains which are already activated by Conficker’s writer. If an active domain is found, the worm accesses and downloads new variants. Otherwise, this process will be repeated daily. “As long as the hacker has not activated any domain, the worm cannot find any active one and thus the return of Conficker will never happen” said Nguyen Tu Quang, CEO of Bkis. In short, the return of the worm may be on April 1st, 2nd, 3rd… or even any arbitrary day, depending on the hacker.
Bkis’ analyses also reveal that Conficker is now accompanied by techniques for self-protection as well as disabling all current removal tools including: Symantec W32.Downadup Removal Tool, Microsoft Malicious Software Removal Tool, Kaspersky Kido Removal Tool…
“We also observe that with their great efforts, Microsoft and Conficker Cabal have successfully taken control of at least 13% of the domain names that the Conficker writer may use. That also means the spreading rate of the worm will be reduced by about 13% when it returns” said Nguyen Tu Quang.
Below are the domain names which Microsoft and Conficker Cabal have successfully taken control: .as, .cl, .co.uk, .com.do, .com.mx, .com.ni, .com.pa, .com.uy, .fm, .gd, .kz, .pl, .tc, .tj, .to, .us.
Vietnamese leading Internet Security Company in Asia - Pacific. Cofounder of APCERT - Asia Pacific Computer Emergency Response Teams. Bkis is known as an antivirus vendor with Bkav, the most popular antivirus software in Vietnam, which has more than 10 million users.
Recently, in September 2008, Bkis discovered the SaveAs Function vulnerability in Google Chrome and Face Recognition Algorithm in Asus, Lenovo and Toshiba laptops.