Conficker, or just a bad day?

SA's Internet connectivity came to grinding halt today in what was not an April Fool's Day joke and not attributed to the dreaded Conficker virus, industry spokespeople say.

From late last night, reports started filtering through the Internet community of slow or absolutely dead-stopped Internet connectivity. While things seem to have improved since then, the general feeling is that all is not as well as it should be.

Telkom says that, for some unknown reason, local domain name servers (DNSes) were unable to communicate with their international counterparts and this was the main cause of the disruption.

“There are problems with routing the local DNSes and they are not talking with the international DNSes,” a Telkom spokesman says. “We have high level (tier two) support looking at the issue. However, it is not only Telkom that has been affected.”

Mark Buwalda, MD of local search engine Ananzi, says he has not received any concrete explanation from either Telkom or his service provider, MWeb, about what caused the problem. However, the issue is most definitely affecting his and other businesses.

“We don't know just how much this will affect us yet, but we have a daily average of about 200 000 impressions and this will come down as many small companies who use our service are unable to connect to the Internet.”

Prenesh Padayachee, Internet Solutions' CTO, said this morning that the company has not experienced any downtime, as it is not linked to the Telkom system. Instead, it uses its own any-cast distributable system.

Alan Levin, MD of Cape Town-based Internet service provider Vanilla, says initially he thought the problem may have something to do with the Conflicker virus, but on investigation, has dismissed that idea.

“The problem may not have started with Telkom, but it will certainly end with Telkom.”

Levin says this is because Telkom plays such a central role in SA's Internet connectivity.

“A major issue for the Internet community has been the use by Telkom of a 'transparent cache service', which is hidden from the users and so they cannot be queried or investigated. This service is called transparent, because the user is almost totally unaware of them,” he says.

Levin maintains Telkom uses this service as a means to save on bandwidth, “which is ironic as they charge for that bandwidth anyway”.

Meanwhile, international research firm Gartner says the intense media attention being paid to the supposed 1 April Conficker deadline is largely unwarranted.

Conficker, which is believed to have infected more than three million PCs worldwide, is a sophisticated virus also known as “Downadup”. It first appeared in October and exploits known vulnerabilities in Microsoft Windows Server services.

Downadup, or Conficker, was released a month after Microsoft issued a security bulletin that contained patches for the vulnerable services. Conficker takes steps to make it appear an infected machine has been patched, making it more difficult to detect compromised PCs. It also uses encryption and many techniques to evade detection and communicate with malicious command-and-control servers.

“Paradoxically, the hype surrounding Conficker, and the enterprise response, is a major factor limiting its likely impact. Enterprises should be much more concerned about unrecognised threats,” a Gartner statement says.

The problem may not have started with Telkom, but it will certainly end with Telkom.

Alan Levin, MD, Vanilla

However, Gartner does point out that despite Conficker's unusual sophistication, most detailed analyses of the worm's code have shown there is no "apocalyptic" event scheduled for 1 April.

“On that date, one of the more recent Conficker variants will dramatically increase the number of domain names that may potentially host malicious servers. This will increase the pressure on simple URL blocking techniques, but will not significantly increase the threat level, because compromised machines already have many communications capabilities,” Gartner says.

The research firm says the most likely outcome today is denial-of-service conditions resulting from increases in network bandwidth.

“The major risk of Conficker is the ongoing threat that compromised PCs present to both enterprises and home users,” it says.