Home > Malware > Conficker Roars to Life, but with a Twist

Conficker Roars to Life, but with a Twist

April 9th, 2009 Leave a comment Go to comments

digital_dreams

Didn’t someone tell the Conficker folks that they were supposed to update their worm on the 1st? Seriously?

Some eight days later, the wait is over. While security researchers watched some 50,000 domains for Conficker activity, the worm utilized its P2P communication scheme to spread new instructions among infected machines. (Links to reports are below). And what, pray tell, were those instructions?

  • Update the worm to a newer, time-limited version (meaning a new version is due out before May 3rd)
  • Download and install a fake Antimalware scanner (SpywareProtect2009, as of now)
  • Download and install a (kinda) new e-mail worm

Some of these were expected, some weren’t.

Honestly, with as much publicity and grandstanding as the worm domains got before, it’s a wonder more people didn’t expect it to update via P2P.

As I and many others said before, Conficker’s older version pushed fake AV software. Why not do it again? At $50 a pop, along with stolen credit card info, it’s a return on investment that’s gotta be hard to beat. With Microsoft saying that detections of fake security problems rose by 66% in the second half of 2008, it’s clear that the organized cybercrime community has once again found a highly-lucrative niche, like adware/spyware bundles were back in the early 2001-2005 period, and toolbars as well.

What interests me far more than rogue scanners, however, is the new email worm. Downloaded as “f*ck4.exe” (use your imagination), some vendors claim it to be a variant of Conficker, others a variant of Waledac, and others a whole new beast. Regardless, the file is downloaded from a known Waledac malware distribution site (GoodNewsDigital.com), and it differs from the most up-to-date binaries of both Waledac and Conficker. Conficker downloads code from Waledac. Hot damn.

What does this all mean? Well, for one, if your computer isn’t currently screaming “I’VE GOT 50450283402 INFECTIONS, PAY $50 TO GET YOUR DESKTOP BACK!”, then it’s probably safe to say that you’re not infected. However, since both Conficker and (Waleficker? Confidac? CONFIDAC! You saw it here first…) are worms, keep your patches and AV up to date. As for Conficker and Waledac’s budding relationship…it’s fascinating. Waledac was seen as a likely offshoot of the Storm Worm (mentioned in my first real post!), to which was often attributed Russian authorship (at odds with then-bot-of-the-month Warezov, and its ostensibly Chineses origins). Very interesting, and worth pursuing further — $250,000, anyone?

NOTE: Much of the above information is new and may be inaccurate. (For example, some are claiming that a keylogger is installed, that Conficker jumped out of computers, tore through Silicon Valley, and slashed the fiber optic network cables of the Conficker Cabal, etc). I’ll be sure to update/correct it as more details are revealed.

Conficker Coverage:
ZeroDay
CyberCrime & Doing Time
Kaspersky
SANS ISC

- DIO

Categories: Malware Tags: , , , , , ,
  1. No comments yet.
  1. No trackbacks yet.