New Conficker variant looks same, acts differently

Summary:The criminals behind the widespread Conficker worm have released a new version of the malware that looks almost identical to the original but operates much differently, reports PC World.The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday.

The criminals behind the widespread Conficker worm have released a new version of the malware that looks almost identical to the original but operates much differently, reports PC World.

The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines.

If you get Conficker, your computer is in for a world of hurt: sending spam, logging keystrokes, launching denial of service attacks, and that's just for starters.

Apparently, an ad hoc group called the "Conficker Cabal" has kept Conficker under control by cracking the algorithm the software uses to find one of thousands of rendezvous points on the Internet where it can look for new code. These rendezvous points use unique domain names that the Conficker Cabal is trying to register and keep out of bad hands.

The new B++ variant uses the same algorithm to look for rendezvous points, but it also gives the creators two new techniques that skip them altogether, posing problems for the Cabal's current defense.

Conficker underwent a major rewrite in December, when the B variant was released. But this latest B++ version includes more subtle changes, according to Phil Porras, a program director with SRI. "This is a more surgical set of changes that they've made," he said.

According to SRI, there were 297 subroutines in Conficker B; 39 new routines were added in B++ and three existing subroutines were modified. B++ suggests "the malware authors may be seeking new ways to obviate the need for Internet rendezvous points altogether," according to the report.

Conficker B++ first appeared on Feb. 6, according to one researcher tracking the worm.

Also known as Downadup, Conficker spreads using a variety of techniques. It exploits a Windows bug to attack computers on a local area network, and it can also spread via USB devices such as cameras or storage devices.

All variants of Conficker have now infected about 10.5 million computers, according to SRI.

More about Conficker on ZDNet:

Topics: Security, CXO

About

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. He is also the former editor of SmartPlanet, ZDNet's sister site about innovation. He writes about business, technology and design now but used to cover finance, fashion and culture. He was an intern at Money, Men's Vogue, Popular Mechanics and the New York Daily Ne... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.