Conficker.C update

Speaking of AutoRun (see my next post)…

The AutoRun blues surfaced when security researchers discovered that the Conficker worm had a very active infection vector that goes through USB drives: take a USB drive from an infected computer to a clean one, and Conficker comes along for the ride.

Now comes word that there’s a new Conficker variant, called Conficker.C, that’s getting considerably trickier. While Conficker.A and Conficker.B are picked up by lots of antimalware programs and scanners these days, Conficker.C packs a different kind of punch. Here’s the Ars Technica take:

…the worm’s creators have a third version (Conficker.C, naturally) prepared to hit the tubes come April 1. The new “C” twist won’t have all of the tools “B” used to replicate, but it will be able to detect and kill certain system processes designed to find and remove it…

The security industry was collectively able to put the brakes on Conficker.B’s expansion when they managed to reverse-engineer the virus and determine which domains it would attempt to register and dial home to on particular dates. With Conficker.A and B, the worm chose to contact 32 addresses out of a possible 250 on any given attempt. With their algorithm broken, the malware authors went a step beyond updating their randomization/selection code-they also vastly increased both the number of domains the worm could generate as well as the number it will randomly select. Conficker.C will select 500 domains out of a randomized pool of 50,000 instead of the previous 32/250.

Worm wars. Ya gotta love it.

For now, if you have to use Windows XP, get your (free!) antivirus software updated and make sure it’s working. Hold down the Shift key when you put anything into your computer. And keep watching for late-breaking news.

Remember that Conficker doesn’t infect Vista or Windows 7 computers. Wait a couple of years and that may change. For now, Vista and Win7 dodge the Conficker bullet.