NEWS FROM THE LAB - Thursday, April 2, 2009

Post April 1st Conficker Q&A Posted by Patrik @ 20:40 GMT

As we posted Conficker Q&A prior to April 1st it wouldn't be right if we didn't do one after the event.

Q: First off, how do I know if I'm infected?
A: Joe Stewart has created a very simple test that's available at the Conficker Working Group's site. Click here to try it out. It's also available on his own site here. If it says you're infected you can find a bunch of removals tools on the same site, including F-Secure's.

Q: So April 1st came and went. Was there any doomsday activity, did the Internet break down?
A: No. If it did you wouldn't be able to read this. And we never really expected anything to happen.

Q: So what really happened then, what was all the fuss about?
A: Conficker.C was programmed to start generating a list of websites on April 1st in an attempt to download updates to itself.

Q: And did it?
A: Yes it did. That part of the worm worked just as intended.

Q: So why didn't something major happen then?
A: Because the people behind Conficker didn't publish an update on any of the websites Conficker tried to contact.

Q: Was it a mistake on their part, did they forget about the April 1st activation date?
A: Very unlikely. What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm. Never before have we seen such a global cooperation within the industry and we're proud to be a member of that group. Also, it would've been pretty stupid for the people behind Conficker to do something on the day everyone expected them to.

Q: But isn't it so that the worm can also update itself using the peer-to-peer (P2P) technology?
A: That's right, it can. And it could've done this prior to April 1st.

Q: I didn't turn on my PC on April 1st so I should be OK, right?
A: If your computer is infected then no, the worm will still be there and it will try to download updates to itself when you turn it on.

Q: Which countries are the most infected?
A: China, Brazil, Vietnam, Russia, Indonesia, India, Philippines, Thailand, South Korea and Ukraine

Q: What's this I've heard about two people arrested in Belarus in connection with Conficker?
A: It was just an Aprils fools joke. More here

Q: So what happens now, can we forget about Conficker and worry about other things?
A: No, not really. April 1st was just the activation date. Infected computers will continue to reach out to 500 websites daily in an attempt to update itself. And let's not forget the P2P technology, it can update itself using that as well.

Q: So that means we'll have to deal with this for a long time?
A: Yes, until all the computers are cleaned up or until the people behind it decide it's not worth it anymore. So we'll keep on monitoring the situation.

Q: What if I have more questions?
A: Hopefully they're already answered by our previous Q&A. If not, make a comment to this post and we'll answer it for you.