Conficker wakes up, updates, drops payload

Conficker wakes up, updates, drops payload

Summary: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.CNET's Elinor Mills reports that researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine.

SHARE:
175

The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

CNET's Elinor Mills reports that researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

Just yesterday, Zero Day blogger Dancho Danchev noted that a Conficker copycat was already making its rounds.

According to a post on the TrendLabs Malware blog, the awakened worm tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity. It then deletes all traces of itself in the host machine, and is scheduled to shut down on May 3.

Mills reports:

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

The development was found when Trend Micro researchers noticed a new file in the Windows Temp folder and a large encrypted TCP response from a known Conficker P2P IP node hosted in Korea:

Two things can be summed up from the events that transpired:

  1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
  2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

As for the second point, researchers said the worm tries to access a known Waledac domain and download another encrypted file, but they're still trying to examine the connection.

More Conficker news on ZDNet:

Topics: CXO, Hardware, Security, Software

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

175 comments
Log in or register to join the discussion
  • So basically...

    ...anyone who patched back in October and who doesn't install dodgy files is still OK?

    Which seems to be about 99%+ of Windows users.
    Sleeper Service
    • 99% of Windows users patch and avoid dodgy files?

      This is a joke right? And no it has nothing to do with Windows. You can't seriously believe that stat you pulled out of your butt can you?
      storm14k
      • I think he meant...

        ...that 99% of Windows users who patched in October (but not after March 30th) and don't download risky files [i]are[/i] still at risk.
        914four
        • Anyone with Auto-Update turned on is safe

          Windows Update takes care of this. Most people have it turned on because that is the default choice. Only those who don't have it running daily are at risk. Even the stupid people who click on everything they see are covered by Windows Update.

          From the start, I thought all of the estimates saying 10-20 million were probably infected were drastically exaggerated by mediatards. Probably the vast majority of truly "infected" computers are the ones sitting in the test facilities of security firms who are curious to see what it does and whether they can milk it for more money somehow.
          BillDem
          • Conficker hosts and other friends.

            I have been tracking local cloud activity from my ISP. Just a novice monitoring the log files generated by my router. Over the past few months I have logged and otherwise peg counted far more than 50K questionable attempts to probe or make connect to my machines. I have also noted a few outgoing attempts that were filtered or rejected. Allot of the Conficker chatter is quite informative but most of it seems to evede what I might call obviously desirable info. Is there a way that I can corolate my data against known troubled spots?
            talibbash
          • Worm?

            Does this thing even exist? Does anyone know of anybody that has it? I read all the posts here and on other sites and everybody is talking about it,but no one has it or any first hand knowledge of it. April Fool?????
            nimrod666
          • The storm that never was...

            ..and to the red faced embarrassment of the weathermen who predicted so loudly; the storm nobody out side of weathermen ever heard of.

            And still they rave on.
            Cayble
      • 10 million infected...

        ...over a billion Windows users.

        Do the maths, sport. :)
        Sleeper Service
        • There are only 10 million infected computers in the world?

          This is getting worse by the post....
          storm14k
          • Conficker, son...

            ...stay on track. :)
            Sleeper Service
        • No matter how hard you try, the result is still the same:

          <b>over 10 million infected</b>.

          Too serious to be playing games around it. You would do better fighting it instead of just trying to hide it.
          InAction Man
          • Ya. For the 1% who hit the...

            ...JERK POT.

            Just how careless do you have to be to get this thing??

            I guess if your determined to be as reckless as you can you can be, you can accomplish just about any stupid thing.
            Cayble
          • And over one billion Windows users...

            ...however way you count it!

            :)
            Sleeper Service
          • Don't hide it, <b>Fight</b> it!

            Conficker won't go away just because you pretend it isn't important.
            InAction Man
        • ye said there were 12 million

          Is the number growing or are you just not counting some?
          914four
          • Last time I checked . . .

            12 million WAS "over 10 million".

            Is English your second language?

            JLHenry
          • Actually it is.

            My first language is French, but that's not really relevant. I just found that 10M vs 12M was worth pointing out, a 17% margin of error; it's sort of like saying at least 10 people died of cancer last year, it's technically true but tends to diminish the actual truth.
            914four
          • It depends on where you look for your numbers.

            As for margin of error you need to these numbers to Windows' marketshare of 1 billion (estimated on the low side) and not each other. In that comparison a 2 million difference is only meaningful to those desperately looking for some hope of making the problem out to be more than it really is.

            10 million = 1% infection rate.
            12 million = 1.2% infection rate.

            ye
          • reply to ye

            [i]"In that comparison a 2 million difference is only meaningful to those desperately looking for some hope of making the problem out to be more than it really is."[/i]

            I'm sure those 2 million infested users would be chagrined to know that they don't mean much to you ye. Perhaps this would be a good opportunity for them to try an OS where they have meaning?
            914four
      • Not only is Conficker a non issue...

        Its one of those non-events 99% of Windows users have never even heard of, never mind been hit by. Yes.during a six month period, 99% of anyone who actively uses the net with Windows is patched well enough not to worry about this stupidity.
        Cayble