Opus iti — my little work

Today the Conflicker worm variant C is due to start checking 500 out of 50,000 pseudo-randomly generated domain names once per day (A & B checked 250 per day) to see if any of them are happy to give it commands and to look for updates to its code. To make things even more versatile Conflicker has the ability to update other infected hosts on the network.

There has been a lot of hype about the threat posed by Conflickr and it seems to me that a lot of it is based around the fact that someone has actually taken a smarter than usual approach to building the worm and building a call-back approach that is more robust than usual (rather than trying a fixed set of domain names it has a means of generating new ones according to a pattern known to the attacker). In addition the update mechanism is quite secure and has the aim of preventing other hackers (or white hats) trying to subvert or take over the worms that are already present on machines.

Apparently, other virus makers are taking advantage of the worry about Conflicker and putting up cleaners that are really trojans. To combat this the folks at DShield have created a page where they have drawn together trusted sources in one place for information about Conflicker and tools for removing it. Also they link to the Honeypot Project Know Your Enemy article (these guys have also worked out a way to detect Conflicker remotely without needing access to the system).

From the articles it seems that aside from taking normal precautions there is nothing dramatic that will happen as the .C variant kicks off (it is at the moment in the minority but it will be interesting to see how it grows). The update mechanism is relatively lightweight so DDoS is unlikely and there is no indications that the owners of the botnet intend to do anything out of the ordinary today (there are maybe 1-2 million or more hosts in the botnet). It is likely that is business as usual for the owners (probably spam generation, porn serving etc. etc.).