PORTLAND, Ore. Malware known as Conficker 2.0 is poised to strike on Wednesday, April Fools Day, security experts warn.
Conficker is a malicious worm that has so far infected 9 million Windows-based PCs since it was a first detected in October 2000.
Experts are unsure whether Conficker will simply display a harmless April Fools Day message or, for example, begin harvesting PC user names and passwords or even erase hard disks. Security experts advise that Windows PC users run their virus-scanning software today (March 31) to ensure they have downloaded and installed all the latest security system updates from Microsoft.
Microsoft has set up a special Web site to assist users in thwarting Conficker.
|A self-replicating software worm called Conficker has infected 9 million PCs worldwide to create a "botnet" that will be launched on Wednesday (April 1).|
"People should run a security scan immediately. If you don't have security software on your computer, then today is the day to go out and get it," said Kevin Haley, director of security response at Symantec Corp. (Cupertino, Calif.). "You should also make sure you have the latest security update for Windows installed since Microsoft has fixed the original problem, but people still need to download that patch."
Conficker's creator or creators have so far evaded authorities despite a worldwide search by security specialists at the Internet Corporation for Assigned Names and Numbers (ICANN) and the FBI. Microsoft is offering a $250,000 reward for information leading to the authors' capture.
Computer worms are self-replicating computer programs that exploit weaknesses in the Server Service on Windows-based computers. Conficker exploits an infected source computer, forcing a buffer overflow executed in a shell code on a target computer, thereby infecting it. Conficker is usually spread over the Internet, but a variation can also spread via removable media devices like USB thumb drives.
Typically, self-replicating worms configure themselves into a grid-like supercomputer--called a botnet--that cooperatively achieves a hacker goal like reporting credit card numbers to criminal organizations or distributing phony offers to sell nonexistent products. Other tactics include flooding networks with congestion in a "denial of service" attack.
ICANN investigators thought they had cornered Conficker 2.0 last month when they began blocking 250 Internet domain names that Conficker was using to download its instructions. But the worm's author responded earlier this month by scheduling an April 1 update which increases the number of sites from which malicious code can be download to 50,000. The update makes it nearly impossible to block all sites before damage is done.
On April 1, Microsoft, Symantec and international security software specialists will be analyzing the new code as well as blocking sites identified as distributing the Confickier 2.0 update. Hence, PC users should check for updates to their security software suites as well as for updates that Microsoft may have to post to seal off any new breaches being exploited by Conficker 2.0.