BANGALORE, INDIA: The Conficker virus is lying low for now. Nevertheless, the virus has already attacked and devastated about 25,000 personal computers in India and will be a challenging issue for many more years to come, feel security experts working on the issue.

Conficker infects machines by exploiting a weakness in Windows, the software that runs on most computers. As on date security companies have estimated that about two million PCs have been wrecked by the dreaded worm.

Also known as Downup, Downadup and Kido, the Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.

"The worm has so far affected about two million PCs around the world and in India about 25, 000 PCs are affected. It has not made a big impact as expected prior to April 1, the date when the attacks started, but the threat of Conficker is real, existing and will continue to exist for some time,” says Govind Rammurthy, CEO, Micro World.

This is one of the most massive attacks that has been witnessed in the recent times, he adds.

According to Rammurthy the impact of the worm can be assessed by the fact that it can penetrate into PCs on LAN that do not have the patch for bugs in Microsoft Operating System.

Though Micorosft had made the patch available in October 2008 itself, many enterprises using LAN still have not used the patch.

He said the worm, when executed on a computer, disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.

The dreaded Conficker virus started spreading late in 2008. Though it was a simple worm initially its creators issued updates turning it into a more sophisticated and resilient virus that has found new ways to spread. It has also gained the ability to shut down a computer's defenses.

The Micro World CEO said that the new Conficker variant, W32/Conficker.C!worm, surfaced in early March which set the time-bomb on April 1. Notable changes include the domain generation algorithm, which has been expanded to generate 50,000 domains from which 500 are queried on a less frequent basis.

Since April 1, when the 'time bomb' hit, Conficker has started actively querying the aforementioned domains. On top of attempting to kill security processes, "it is a stark reminder to employ an aggressive patch management strategy on top of a valid, layered security solution to mitigate such malware.", the Micro World  CEO adds.

Challenges

The programming on the latest version of Conficker tells infected machines to generate 50,000 new Internet addresses each day that they can try and "phone home" for instructions. Previously, they had been looking for commands from just 250 sites each day.

“The point of the change is to make it harder for the security community to pre-register those addresses and block them”, says Govind Rammurthy.

According to Rammurthy the potential targets of this virus were enterprise, both big and SMEs, having an Internet connection and working on a Local Area Network (LAN).

W32/Conficker.C!worm, has included domain generation algorithm, which has been expanded to generate 50,000 domains from which 500 are queried on a less frequent basis.

As per security experts the new variant has capabilities to kill security processes, apart from blocking web traffic to certain domains. Additionally, it can block security updates such as Windows updater - effectively killing a good portion of patch management practices.