This is no April Fools' joke. The Conficker botnet is alive and well, and is using its peer-to-peer communications system to update itself as it downloads fake antivirus programs to millions of Windows machines previously infected with the virus.
The Conficker worm, also known as Downadup, raced across the Internet in January with tricks to spread undetected. Millions of computers were infected in just a four-day period. There are several different variants running wild already and the latest variant, Conficker.E, is now on the loose. On Wednesday, Symantec discovered a new sample that is a slightly modified version of the original worm.
"We've detected a slightly modified version of Downadup which we're calling variant E. This new variant is similar to previous variants. It has the ability to spread itself as we saw in variant A and it exploits a Microsoft vulnerability like was seen in variant B," said Orla Cox, security operations manager for Symantec Security Response. "However, it drops the C variant, which didn't have the ability to propagate."
Symantec Observes Waledac
According to Symantec, the new sample reintroduces the MS08-067 exploit vector, which was removed in the C variant. It includes a previously unseen self-removal functionality to remove itself from an infected host on May 3.
The new sample includes a slightly different list of URLs to obtain the IP address of the infected host and also reaches out to a new list of high-profile domains to confirm the current date. When reaching out to these domains, the worm is not exploiting any weaknesses nor downloading any code.
Symantec has also observed a possible connection to W32.Waledac, one of the most active spam bots. W32.Waledac steals sensitive information, turns computers into spam zombies, and establishes a backdoor remote access. "We're seeing a connection with Downadup and Waledac in that Downadup could be distributing Waledac," Cox said. "This doesn't necessarily mean it's the same group that made the worms. It could be two groups working together."
Trend Micro Confirms Fears
Trend Micro confirmed the E variant and said the new version indicates that cybercriminals behind the Conficker worm may finally be gearing up for more serious attacks. Trend Micro said the Conficker peer nodes seem to be hosted in Korea.
The new variant uses random file and service names and is known to connect to the following sites: myspace.com, msn.com, ebay.com, cnn.com, and aol.com. This also propagates via MS08-067 to external IPs if the Internet is available, the company said. If no Internet connections are found, it uses local IPs.
"Having followed the activities of Eastern European online cybercrime for several years, there is one thing we are certain about -- these criminals are motivated by one thing: Money," said Ivan Macalintal, an advanced-threats researcher at Trend Micro. "How was Downadup/Conficker helping them meet their goals? It wasn't. A very large botnet of compromised computers doesn't make money if it just sits there doing nothing."
Now that Conficker has finally awakened and infected PCs are pulling down new Waledac binaries that could be used for spamming and installing rogue antivirus software, the plans may be falling into place. Security researchers said to stay tuned as the situation unravels and keep antivirus software up to date.