Although Kido malware, also called Conficker, did not activate on 1 April, Kaspersky Lab says it could still be activated at any time from today onwards, and it is impossible to predict what the cyber-criminals will then do.
Costin Raiu, chief security expert for Kaspersky Lab, EEMEA, says as of 1 April, the Kido botnet started asking for new commands from its creators. Because of the strong encryption algorithms it employs, only Kido's authors can send updates to the botnet.
“Yesterday, we did not detect any data being exchanged between infected machines and the possible botnet command and control centres. Nonetheless, the botnet could still activate at any time,” Raiu says.
“Given the malware's functionality, this is possible. We estimate that at least five million computers are infected, and the network of infected machines could potentially become the most powerful tool at the disposal of cyber-criminals, on the Internet. This huge network of infected computers provides cyber-criminals with the means to conduct mass DDOS attacks on any Internet resource, to steal confidential data from infected computers and to distribute unsolicited content.
“Kido has currently reached its third generation, with a few hundred variants being known. The latest variants implement some of the most sophisticated technologies known to malware authors. For example, they download updates for themselves from Web site addresses, which are new every day; they use strong encryption for protection from unauthorised control; they have sophisticated mechanisms for disabling security services and preventing security software from updating,” explains Raiu.
“The third generation of Kido attempts to update itself by downloading code from 500 domains, chosen from a pool of 50 000 domains, which is generated daily.”
Raiu says the 500 domains are randomly selected. This, together with the large number of domains, makes it extremely difficult to monitor and block the domains used by the malicious program. “Because of this, a Kido botnet could become a huge resource, with a massive processing power equivalent to the most advanced supercomputers of the moment.”
Related stories:
Conficker, or just a bad day?
Don't be an April fool
Share