An investigation into the Conficker worm published last week by
security researchers at SRI International highlighted the technical
ability of the worm's coders and the danger posed when the program
starts checking a greatly expanded list of Internet drop sites come
In their Conficker C Analysis, three researchers at SRI International found that the latest update to the Conficker worm, which started appearing on compromised systems on March 5, changed more than 80 percent of the B-version of the worm's code. Computer systems infected with the new version version — dubbed Conficker.C and Downadup.C
by different security firms — will begin generating a list of 50,000
psuedo-random domain names every day starting April 1 and attempt to
download new commands from 500 of those domains.
In addition, the worm program blocks security software, distributes
code by creating a peer-to-peer network, and attempts to prevent anyone
but the authors from updating its code by authenticating updates using
a hash algorithm — known as MD6 — that is only a few months old. The
collection of those capabilities worried the researchers.
"In the best case, Conficker may be used as a sustained and profitable
platform for massive Internet fraud and theft," wrote Phillip Porras,
Hassen Saidi and Vinod Yegneswaran, all of SRI International. "In the
worst case, Conficker could be turned into a powerful offensive weapon
for performing concerted information warfare attacks that could
disrupt, not just countries, but the Internet itself."