Conficker now active; domain routine has already started

[David Baxter PhD]

Conficker's domain routine has already started
by Patrik, F-Secure.com
Tuesday, March 31, 2009

Mikko posted earlier about how the domain generation algorithm in Conficker (aka Downadup) works. Just to make it clear to everyone - this has now started.

Infected computers use the local time as the trigger of when to start generating the list of 50,000 domains so in places where the local time is already April 1st, these computers are now actively polling for domains.

And, until the GMT date is April 1st they are in fact polling for domains for 31st March. So far there hasn't been any updates available on those sites.

In summary: Conficker has activated. So far nothing has actually happened.

 

[sarek]

Arent they just playing a giant April fool's joke on everyone?

 

[David Baxter PhD]

No. Nobody goes to that much trouble for an April Fool's joke. They have put months of work and planning into this.

 

[David Baxter PhD]

Conficker - What's going on?

Conficker - What's going on?
by Patrik, F-Secure
Wednesday, April 1, 2009

So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far ? nothing. Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys).

And we don't really expect one, at least not right now.

The Conficker worm is still creating headlines though as can be seen from the front page of cnn.com.