Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.

Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.

"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain."

Whether anything will actually be offered for download, much less what the payload might be, is unclear. No particular function or payload currently within the malicious code is due to activate on 1 April. It's also possible that a payload will only be offered up for download days or week after the new call-home routine comes into effect.

If updates are successfully made, infected machines are programmed to suspend call-home activity for 72 hours, as an analysis by Sophos explains.

Lessons from the call back routines of previous variants of the worm provide few clues as to what might happen. Sophos said it never observed the previous Conficker-B variant ever downloading malicious payloads, other than updates to Conficker-B++ and Conficker-C. As a result, there isn't much history to draw upon for any speculation as to the eventual goal of the Conficker botnet.

Anti-virus firms are keeping a close eye on what Conficker might do early next month while downplaying concerns that Downadup will either "erupt" or "explode" on 1 April, deluging us with spam or swamping websites with junk traffic in the process.

"Let's not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib," notes Graham Cluley, senior technology consultant, at Sophos.


Although nothing might happen it's never a bad time for sys admins to check for infection by Conficker on their network. Such infections have already caused widespread problems.

Symantec said that the worm, which had initially focused solely on spreading "has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer protocol".

Windows PCs infected with Conficker (Downadup) are programmed to dial home for updates through a list of pseudo-random domains. Microsoft is heading a group, dubbed the anti-cabal alliance, to block unregistered domains on this list. The more complex call-home routine deployed by Conficker-C comes in apparent response to this move.

Rik Ferguson, a security researcher at Trend Micro, added that blocking call-back domains associated with the latest variant of the worm will be "almost impossible" not only because of the daily volume, but also because there is a possibility that legitimate domains might be hit as a result. Even earlier versions of the worm, calling far fewer domains every day, used algorithms that threw up addresses that coincided with legitimate domains.

Birth of a superworm

Variants of the Conficker worm, which first appeared back in November, spread using a variety of tricks. All strains of the superworm exploit a vulnerability in the Microsoft Windows server service (MS08-067) patched by Redmond in October.

Once it infects one machine on a network, the worm spreads across network shares. Infection can also spread via contaminated USB sticks. This combined approach, in particular the worm's attempts to hammer across corporate LANs, have made Conficker the biggest malware problem for years, since the default activation of the Windows firewall put the brakes on previous network worms such as Nimda and Sasser.

Compromised Windows PCs, however the infection happens, become drones in a botnet, which is yet to be activated. It's unclear who created or now controls this huge resource.

Estimates of the number of machines infected by Conficker vary, from barely over a million to 12 or even 15 million. More reliable estimated suggest that between 3-4 million compromised systems at any one time might be closer to the mark.

SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

Estimates of how many machines are infected by the Conficker-C variant are even harder to come by.

But however you slice and dice the figure its clear that the zombie network created by Conficker dwarfs the undead army created by the infamous Storm worm, which reached a comparatively lowly 1 million at its peak in September 2007. Activation of this resource may not come next week or even next month but the zombie army established by the malware nonetheless hangs over internet security like a latter-day Sword of Damocles.

Some security watchers are sure it will get used eventually, if not on 1 April. Sam Masiello, a security analyst at MX Logic, said: "Why go through all of this effort to create such a huge botnet then not utilize it for something?"

The office of the Indian Prime Minister has reportedly ditched Microsoft's Outlook for open-source email following a computer virus that caused a massive breakdown in communications.

The PMO has dumped Outlook Express for SquirrelMail, it has emerged, following an outage that saw emails go missing and unanswered during a three-month period last year.

Among the lost emails sent to India's PM were those of a retired air commodore.

In a hearing of the Indian Central Information Commission, the PMO's office admitted: "Many mails reportedly sent were not received in the Outlook Express and subsequently the Outlook Express was discontinued and the SquirrelMail was used."

SquirrelMail is a PHP program that renders in HTML 4.0 and supports IMAP and SMTP. Started in 1999, SquirrelMail is licensed under the GNU General Public License.

While the migration from Outlook Express to open-source is a black eye for Microsoft, it does beg the question why it took so long for the problem to be detected - unless, of course, the Indian PM isn't actually using email and the account is for show.

As one observer put it: "WTF and WTS (What the Satyam!). It took the Government techies so much time to realize that the email system of the most powerful man in India was not working properly for 3 months!"

Microsoft founder head Bill Gates has banned the use of products made by arch-rival Apple from his house, his wife has revealed.

But the blockade could backfire on Gates, 53, after Melinda admitted there are times she feels envious of her friends' iPhones.

She told Vogue magazine that the couple's three children Jennifer, 13, Rory, 10 and Phoebe, seven, are not allowed Apple products.

'There are very few things that are on the banned list in our household,' she said.

'But iPods and iPhones are two things we don't get for our kids.'

Like any forbidden fruit, however, Mrs Gates, 44, admitted that some Apple products do have the power to tempt her.

'Every now and then I look at my friends and say 'Ooh, I wouldn't mind having that iPhone,' she admitted.

For many years, Microsoft had a monopoly on the technology market.

But over the last decade, the popularity of new Apple products such as the iPod and the iPhone as well as their computers, has promoted the company to chief rival.

There have been rumours of animosity between Gates and Apple founder Steve Jobs but the pair have made public efforts to appear friends.

The Gates live in a vast mansion on the shores of Lake Washington and are very protective of the privacy of their children.

Gates stepped down as chief executive of Microsoft to concentrate on charity the Bill & Melinda Gates Foundation, which is the world's biggest philanthropic organisation.

Apple's Steve Jobs, meanwhile, has been forced to take sick leave because of health problems.

Source : DailyMail

Bigger and better than Firefox, Chrome and Internet Explorer, says Microsoft

Microsoft researchers are working on a new browser called Gazelle which it promises will have some impressive new features and capabilities.

The firm released a research paper (PDF) late last week, saying that the new browser would offer significant security improvements compared to other browsers, including Internet Explorer.

"No existing browsers, including new architectures like Internet Explorer 8, Google Chrome and OP, have a multi-principal operating system construction that gives a browser-based operating system the exclusive control to manage the protection of all system resources among web site principals," Microsoft said in the report.

The browser will change this tradition by being built on its own kernel, in effect allowing it to operate as an operating system. This means that Gazelle could intelligently identify traffic, and react to anything malicious.

"Our prototype implementation and evaluation experience indicates that it is realistic to turn an existing browser into a multi-principal operating system that yields significantly stronger security and robustness with acceptable performance and backward compatibility," the researchers wrote.

The browser is only open for discussion at this stage, and there are no current plans for a release in any form.

"The implementation and evaluation of our IE-based prototype shows promise of a practical multi-principal operating system-based browser in the real world," the researchers concluded.