Conficker update calls home more stealthily

Stephen Withers
Friday, 13 March 2009 10:18

Your IT - Home IT

Once a Conficker instance manages to contact a control server and download fresh instructions, it waits three days before trying to call home again.

So while there's less chance of a particular instance contacting a server on a given day, there's presumably a greater chance that it will succeed in calling home before it is removed from the host system - unless the anti-Conficker forces are able to take all 50,000 domains out of the available pool each day.

Mike Wood of security software specialist Sophos's Canadian operation has pointed out that a side effect of the change is that it should cause less collateral damage.

Sophos previously warned that some of the domains generated by Conficker correspond to genuine web sites that could be overloaded by millions of requests from infected PCs.

But with around 3 million Conficker infections, only 30,000 or so will try to contact any particular domain.

Wood says that would only mean an extra 21 requests per minute, and "If your site cannot handle that level of additional traffic, you might be in the wrong business."

Researchers at SRI International's Computer Science Laboratory said they have not "seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants [of Conficker] since the Storm outbreak of 2007."