<<<
NEWS FROM THE LAB - Tuesday, March 31, 2009
>>>
 

 
When will it start? Posted by Mikko @ 11:18 GMT

April 1st, 2009 has arrived.

As I'm posting this, it's 00:18 on the 1st of April in Auckland, New Zealand.

But there aren't that many Conficker infections in New Zealand to begin with.

Infection situation in South Korea is more interesting; it's in the TOP 5 infected countries. And it's already 20:18 on the 31st in Seoul right now.

So, when exactly is Conficker activating?

It goes like this:


  • Conficker checks the local clock every 90 minutes (in some cases even more frequently)
  • The check is done with Windows GetLocalTime function
  • GetLocalTime gives the local time, based on the local time zone
  • Because of this, machines around the world are returning different times
  • Clock skew affects this as well
  • But not by much, as Windows machines will sync their local clock with time.windows.com once a week
  • Once the local clock says it's April 1st, Conficker will collect a date from the net

This means that machines in Australia will already be collecting a date from the net when machines in Hawaii aren't.

Conficker's net time collection uses several large websites to get the date. These are sites such as:

  • adobe.com
  • answers.com
  • baidu.com
  • bbc.co.uk
  • comcast.net
  • disney.go.com
  • ebay.co.uk
  • facebook.com
  • imdb.com
  • megaporn.com
  • miniclip.com
  • rapidshare.com
  • torrentz.com
  • typepad.com
  • wikimedia.org
  • yahoo.com
  • youtube.com

The HTTP header time on these sites is very accurate and very close to each other.

You can check these yourself: simply connect to port 80 of any website with netcat or telnet. In Windows, simply run "telnet google.com 80". Once connected, type (blindly) "GET /" and hit enter a couple of times. You'll get a screenful of results, including a "Date:" field.

Time

Here's some sample HTTP HEAD returns from websites that Conficker uses to check the date. These were checked earlier this morning:

Google.com
   Date: Tue, 31 Mar 2009 06:27:42 GMT
   Client-Date: Tue, 31 Mar 2009 06:27:42 GMT
   Client-Peer: 209.85.171.103:80

Facebook.com
   Date: Tue, 31 Mar 2009 06:28:24 GMT
   Expires: Mon, 26 Jul 1997 05:00:00 GMT
   Client-Date: Tue, 31 Mar 2009 06:28:24 GMT
   Client-Peer: 69.63.184.143:80

www.baidu.com
   Date: Tue, 31 Mar 2009 06:31:47 GMT
   Expires: Tue, 31 Mar 2009 06:31:47 GMT
   Client-Date: Tue, 31 Mar 2009 06:31:48 GMT
   Client-Peer: 220.181.5.222:80

www.youtube.com
   Date: Tue, 31 Mar 2009 06:32:30 GMT
   Expires: Tue, 27 Apr 1971 19:44:06 EST
   Client-Date: Tue, 31 Mar 2009 06:32:31 GMT
   Client-Peer: 208.65.153.253:80

When the local clock says it's April 1st, Conficker will fetch the date values from the above sites and will use these values in an algorithm to generate 50,000 unique domain names. Do note that even if the date from the web sites says it's March 31st, Conficker would still activate if the local clock says it's April 1st.

The machines that are infected by Conficker.C and are turned on, will change modes between 00:00 and 01:30 on April 1st, based on machines own clock. The ones that are turned off, will change modes soon after they are booted up.

Cheers,
Mikko

PS. I'm on Twitter. http://twitter.com/mikkohypponen

PS2. Full disclosure: this post has been updated several times today as we've tried to get this right. It is pretty complicated.