Conficker: More Conflict than Worm

When it comes to naming a threat, the Conficker worm might be more aptly named the Conflicting worm. Barely a week after the 60 Minutes April Fools' Conficker doomsday update failed to materialize, the closely watched Conflicker.C did finally manage an update. And in an ironic twist, the new worm debunks much of the hype circulating about Conficker.

The following is intended to help clear up a couple of the continuing conflicting reports about Conficker and is best read in conjunction with the original report titled "60 Minutes, Conficker, and April's Fool.

Myth: The new version of Conficker downloads keyloggers and other data theft trojans.
Reality: Conficker didn't download keyloggers; instead the worm download a scareware program and a new variant of the spam-related Waledec trojan. Waledec is believed to be written by the same group behind the Storm trojan, and both are malware connected with sending spam.

Myth: The Conficker Eye Chart can tell whether there is a Conficker infection.
Reality: While some have made much of Conficker's ability to block access to antivirus vendor sites, disabling antivirus and preventing access to updates and information is a common characteristic of nearly all malware in circulation today. The "Conficker Eye Chart" will show at a glance if access to F-Secure, Trend Micro, or a handful of other security sites is blocked. Basically, if you view the page and can't see the images, this is supposed to be indicative of a Conficker infection. But while it may be a catchy PR title, in reality a failure of the images to display could indicate infection by the majority of malware circulating today and may have nothing to do with Conficker whatsoever.

Myth: Millions are infected with the Conficker worm.
Reality: In another ironic twist, it appears the authors of Conficker have provided a means to measure potential victims without relying on complex measurements and educated guess. Immediately after updating to Conficker.E, the new updated worm tried to connect to a domain for which traffic can be directly counted. Suffice to say that Quantcast and other traffic monitoring systems report this domain as having too little traffic to be measurable. This lack of traffic during the update cycle - when the worm was alleged to be actively hitting the site - calls into question the high number of victims that have been reported. And it raises the question of whether what's really been reported in the past is really just the result of traffic activity emanating from other antivirus vendors' honeypots.