Up till now the whole world has gone through April 1, and it is possible to assure that the Conficker worm did not return as common beliefs. This also coincides with what our Radar system has recorded.
As mentioned in our previous blog entry, this worm may not necessarily come back in April 1, but it can return on any day after this Doom’s Day. Thus, one may come up with two questions.
Firstly, why did April 1 pass without any worm’s updates? Secondly, will Conficker come back, and if yes, when?
Why did April 1 pass without any worm’s updates?
It is preferable to have a look at the algorithm which the Conficker worm creator utilizes to assign the return day.
GetDateTime(Year, Month, Day);
IF (Year >= 2009) and (Month >= 4) and (Day >= 1) THEN SearchforUpdate();
IF UpdateFound THEN GetUpdateFromInternet() ELSE RepeatThisProcessDaily;
This algorithm only indicates that on April 1 Conficker will start tracking the domain (among 50,000 randomly generated ones) from which it can update its new version. If it succeeds, it will download the version and update itself. If not, it will repeat this searching process each day.
What we all see is April 1 passed quietly with no shocking news about Conficker’s return. This was because the worm creator did not provide any new update on the Internet. And as long as the worm has not found any new instruction from its master, nothing happens.
Will Conficker come back, and if yes, on which day?
Conficker is thought to return on April 1. However, the aforementioned analyses point out that this day is not different from April 2, 3…The worm’s code also shows that the malware poses the same risk on the subsequent days. And the return day totally depends on Conficker creator.
So will the worm return? Yes, it can come back. And when will it return? It can return on any day.
“Best practice is to protect your computer with most recently updated tools and Microsoft’s patch other than waiting for the worm to return.” Said Quang Tu Nguyen, CEO of Bkis. “It is like you never know when the earthquake strikes, rule of thumb is to get yourself prepared with a specially designed house other than sitting still and trying to predict the day it comes.”
Finally, this is the latest update of globally infected computers which our Honeypot and Radar Systems have recorded on April 1.
The number of infected computers in the world amounts to 1,384,100 China has the most number of computers infected by Conficker.C with 13.68 percent, next comes Brazil with 10.44 percent.
In the previous mail we stated that Conficker might originate in China. We are currently making close monitoring over the daily generated domain names in order to find clue on whoever created the worm.
Vietnamese leading Internet Security Company in Asia - Pacific. Cofounder of APCERT - Asia Pacific Computer Emergency Response Teams. Bkis is known as an antivirus vendor with Bkav, the most popular antivirus software in Vietnam, which has more than 10 million users.
Recently, in September 2008, Bkis discovered the SaveAs Function vulnerability in Google Chrome and Face Recognition Algorithm in Asus, Lenovo and Toshiba laptops.
Statistics of computers infected by Conficker.C
Conficker Global Monitoring System