Even though there were no major incidents reported on April 1, after rumours circulated that computers infected with the Conficker worm would be hit, vendors have claimed that this was just a warning, and that users should remain prepared and covered.
Christopher Budd, security response communications lead for Microsoft, claimed that the security response centre team had not seen any actions outside of what they had expected. It had seen systems infected with the worm start to use the new domain generation algorithm, but hadn't seen any new variants released or any new attacks levied as a result of this.
Budd said: “While there's been a significant focus on the April 1 date, customers shouldn't take it to mean that once April 1 has passed that all the risks around Conficker.D lessen or go away. Conficker.D should remain a manageable cause for concern and it doesn't go away after April 1.
“Just like it has on 1st April, Conficker.D will continue trying to contact domains using this new algorithm on April 2, April 10 and beyond. This means that even though it hasn't happened today, a new variant or a new attack could be levied in the future.
“Customers should keep focused and keep doing what they've been doing: focusing on ensuring your systems are updated with MS08-067, keeping your security software signatures updated, and cleaning any systems you identify that are infected with any version of Conficker.”
Graham Cluley, senior technology consultant at Sophos, said: “I actually think most of the computer security industry were remarkably reserved and sane during the build up to Conficker, reminding people that there was no guarantee that the worm would do anything noticeable at all and that it was quite possible that hackers wouldn't give Conficker-infected PCs any new instructions.
“Of course, as I've been saying all along, the people behind Conficker could choose any day to instruct it to do something malicious - there was nothing which made it more likely on 1st April. So the need for you to remove Conficker is just as necessary today as it was yesterday, and will be tomorrow.”
Finally, Paul Henry, security and forensic analyst at Lumension, said: “Conficker is now armed and ready; all it lacks is the will of those who control it to put it to use. Let's not lose sight of the fact that it is not the infected machines we should be concerned for – it is the IP address of the victims that Conficker targets in the future that are at risk. “What level of comfort should people now have, knowing Conficker is updated but nothing has happened yet? We still have some sleepless nights ahead as it's not simply today we need to worry about, it's everyday in the future until Conficker is permanently shut-down.”
“What level of comfort should people now have, knowing Conficker is updated but nothing has happened yet? We still have some sleepless nights ahead as it's not simply today we need to worry about, it's everyday in the future until Conficker is permanently shut-down.”