Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED ABOUT A MINUTE AGO.
You are here: Home / Data Security / It's Malware Time as Conficker Acts
It's Malware Time as Conficker Awakens and Updates
It's Malware Time as Conficker Awakens and Updates
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
09
2009
This is no April Fools' joke. The Conficker botnet is alive and well, and is using its peer-to-peer communications system to update itself as it downloads fake antivirus programs to millions of Windows machines previously infected with the virus.

The Conficker worm, also known as Downadup, raced across the Internet in January with tricks to spread undetected. Millions of computers were infected in just a four-day period. There are several different variants running wild already and the latest variant, Conficker.E, is now on the loose. On Wednesday, Symantec discovered a new sample that is a slightly modified version of the original worm.

"We've detected a slightly modified version of Downadup which we're calling variant E. This new variant is similar to previous variants. It has the ability to spread itself as we saw in variant A and it exploits a Microsoft vulnerability like was seen in variant B," said Orla Cox, security operations manager for Symantec Security Response. "However, it drops the C variant, which didn't have the ability to propagate."

Symantec Observes Waledac

According to Symantec, the new sample reintroduces the MS08-067 exploit vector, which was removed in the C variant. It includes a previously unseen self-removal functionality to remove itself from an infected host on May 3.

The new sample includes a slightly different list of URLs to obtain the IP address of the infected host and also reaches out to a new list of high-profile domains to confirm the current date. When reaching out to these domains, the worm is not exploiting any weaknesses nor downloading any code.

Symantec has also observed a possible connection to W32.Waledac, one of the most active spam bots. W32.Waledac steals sensitive information, turns computers into spam zombies, and establishes a backdoor remote access. "We're seeing a connection with Downadup and Waledac in that Downadup could be distributing Waledac," Cox said. "This doesn't necessarily mean it's the same group that made the worms. It could be two groups working together."

Trend Micro Confirms Fears

Trend Micro confirmed the E variant and said the new version indicates that cybercriminals behind the Conficker worm may finally be gearing up for more serious attacks. Trend Micro said the Conficker peer nodes seem to be hosted in Korea.

The new variant uses random file and service names and is known to connect to the following sites: myspace.com, msn.com, ebay.com, cnn.com, and aol.com. This also propagates via MS08-067 to external IPs if the Internet is available, the company said. If no Internet connections are found, it uses local IPs.

"Having followed the activities of Eastern European online cybercrime for several years, there is one thing we are certain about -- these criminals are motivated by one thing: Money," said Ivan Macalintal, an advanced-threats researcher at Trend Micro. "How was Downadup/Conficker helping them meet their goals? It wasn't. A very large botnet of compromised computers doesn't make money if it just sits there doing nothing."

Now that Conficker has finally awakened and infected PCs are pulling down new Waledac binaries that could be used for spamming and installing rogue antivirus software, the plans may be falling into place. Security researchers said to stay tuned as the situation unravels and keep antivirus software up to date.

Image credit: iStock.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN DATA SECURITY

NETWORK SECURITY SPOTLIGHT
China-based Vivo will be the first company to come out with a smartphone featuring an in-display sensor for fingerprint security, beating Apple, Samsung, and other device makers to the punch.

CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.