Conficker Worm Arms Itself To Steal And Spam
The new variant, designated Conficker.E, is arriving through the worm's P2P connectivity.
The Conficker/Downadup worm is on the move again. After a relatively uneventful April 1, on which the worm began widening the number of Web sites that it scanned for instructions, a new Conficker variant has emerged and appears to be preparing to spam and steal information.
Symantec said the new Conficker/Downadup variant .E is designed to update version .C rather than the first-generation .A variant.
“In actuality, the primary objective is to update .C with the new features discussed during the briefing and drop Waledac binary onto the .C infected machines,” a company spokesperson said in an e-mail.
Not every security company agrees the malicious code being detected belongs to Conficker. Bkis, a security research firm based in Vietnam, said Thursday that the malware Trend Micro identified is associated with the Waledac worm.
Weafer, however, argues that not all honeypots -- the machines used to collect malware samples -- contain the same samples.
The Conficker/Downadup worm was designed initially to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. It now is capable of multiple attack vectors, including USB devices and brute-force password guessing. It also uses various advanced techniques to escape detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.
Somewhere between 1 million and 2 million computers are believed to be actively infected with the malware, down from almost 9 million in January. According to IBM ISS Managed Security Services, the highest number of infections are in Asia (45%), followed by Europe (31%), South America (13.6%), and North America (5.8%), with the rest in the Middle East, Africa, and elsewhere. The new variant, designated Conficker.E, restores the use of the MS08-67 exploit, which was removed in the previous .C variant. It also includes new self-removal instructions that tell the worm to remove itself from an infected host on May 3. And it includes a slightly different list of Web sites from which to seek instructions.
Weafer said the update is arriving through the worm's peer-to-peer connectivity. It looks for the old .A variant and updates it with the improvements seen in version .C, which include better HTTP and P2P code, stronger defense mechanisms, and advanced anti-forensic techniques.
It also drops a binary that's part of the Waledac spam malware. "Waledac is about stealing your confidential information and putting back doors on your system," said Weafer.
Weafer said that because P2P updating is slow compared with other methods, it may be several days before the impact of Conficker's changes become apparent.
As computer security firms assess the risk posed by the Conficker/Downadup worm, the Department of Homeland Security has released a DHS-developed detection tool to help organizations scan for computers infected by the worm.
The DHS US-CERT team created worm-scanning software for federal and state government agencies, commercial vendors, and critical infrastructure owners. It's being made available through the Government Forum of Incident Response and Security Teams Portal and to private-sector partners through various Information Sharing and Analysis Centers.
2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.
This story was edited on April 9 to clarify statements made by Symantec.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024