Thursday, April 09, 2009

A Week Later Conficker Might Be Rearing Its Ugly Head

Conficker might not have lived up to the early hype but that might be changing as a new variant has begun rearing its ugly head and this newest update might be the ugliest of them all!

Conficker.e, as the update has been named, began downloading and installing on previously-infected PCs at midnight London time, said Kevin Hogan, director of security response operations for Symantec Corp.

The new variant is now installing new bots, scareware/ransomware and other malicious code that might be used by the viruses creators to make money. According to Kaspersky research Alex Gostev, Conficker.e is downloading and installing fake security software. The rogue software, SpywareProtect2009, extorts $50 from users by claiming to remove an infection. When in fact the software is the inrfection.

TrendMicro warns they are now detecting this new Conficker variant as WORM_DOWNAD.E. Some interesting things they have found are:
  1. (Un)Trigger Date – May 3, 2009, it will stop running
  2. Runs in random file name and random service name
  3. Deletes this dropped component afterwards
  4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
  5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
  6. Connects to the following sites:

It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.

In the latest activity the report seing infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do). Waledac is believed to be the successor to the infamous Storm bot and Storm Worm of 2008.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you