Print | Send on Yahoo! | PDF version | RSS | Filed Under: MISCELLANEOUS

Conficker April Surprise

The announced April 1st Conficker update doom and gloom has failed to materialize. You can bet your bottom dollar somewhere in the world a virus writer is rolling on the floor laughing. That's not to say that an update will never happen. It almost certainly will, but not as most people seem to think.

The virus posesses two main update mechanisms.

The most visible is the HTTP or web mechanism whereby each infected machine checks 500 of the 50000 possible update URLs every day, for a neat 1 in a hundred chance to get an update. This mechanism is obviously pretty slow, by itself, but its speed does not depend on the number of machines which are infected. If one of the links remains up and serving the update for a hundred days, the whole virus network is updated.

The P2P update system is less visible. Its only requirement is to somehow introduce on the Internet a new machine (or several hundred) which are already updated and accessible from anywhere.

One could do so by using an alternate infection mechanism such as malicious e-mail or a trojanized version of the virus planted on a file sharing network or even, for spy-movie drama, by leaving a USB drive which contains the virus unattended on a park bench.

Using this system, an infected machine checks arround 600 IP addresses(of the total of roughly 3.3 billion usable IP addresses) every hour, in an attempt to find other infected machines which have more recent code and update itself.

Now, let's assume a network of 10 million infected computers (a pessimistic estimate), of which only one runs an updated version of the virus. The probability for an infected machine to find the single existing updated machine, in the first try, is 1 in three billion.

It seems vanishingly small, but we have 10 million machines to play with, 600 tries per hour each (or a total of 6 billion tries), so we can be very sure that the updated code _will_ be found within the hour.

The simple, scary logic of exponential growth then takes over. Finding one of two machines is twice as easy, one of four even easier and the ball keeps rolling until, using this system, the entire network could be updated in just 16 hours or thereabouts. A smaller network will take longer, but not much longer.

Combine the two systems (I'll spare you, again, the gory mathematical details) and you get an approximate time of 9 hours for a full 10 million-strong network update.

But is the speedup of using the HTTP mechanism worth it, from a virus writer's point of view? Considering that every security researcher and company worth their salt is monitoring the 50000 URLs, no, not really.

It's vastly more probable that the author or authors are keeping the http option in reserve and relying on P2P for regular updates.

Conficker is here to stay, in other words. Our only valid options, as always, are to immunize everyone against new versions and to slowly clean up the already-infected hosts.