New Conficker variant looks same, acts differently

New Conficker variant looks same, acts differently

Summary: The criminals behind the widespread Conficker worm have released a new version of the malware that looks almost identical to the original but operates much differently, reports PC World.The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday.

SHARE:
TOPICS: Security, CXO
31

The criminals behind the widespread Conficker worm have released a new version of the malware that looks almost identical to the original but operates much differently, reports PC World.

The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines.

If you get Conficker, your computer is in for a world of hurt: sending spam, logging keystrokes, launching denial of service attacks, and that's just for starters.

Apparently, an ad hoc group called the "Conficker Cabal" has kept Conficker under control by cracking the algorithm the software uses to find one of thousands of rendezvous points on the Internet where it can look for new code. These rendezvous points use unique domain names that the Conficker Cabal is trying to register and keep out of bad hands.

The new B++ variant uses the same algorithm to look for rendezvous points, but it also gives the creators two new techniques that skip them altogether, posing problems for the Cabal's current defense.

Conficker underwent a major rewrite in December, when the B variant was released. But this latest B++ version includes more subtle changes, according to Phil Porras, a program director with SRI. "This is a more surgical set of changes that they've made," he said.

According to SRI, there were 297 subroutines in Conficker B; 39 new routines were added in B++ and three existing subroutines were modified. B++ suggests "the malware authors may be seeking new ways to obviate the need for Internet rendezvous points altogether," according to the report.

Conficker B++ first appeared on Feb. 6, according to one researcher tracking the worm.

Also known as Downadup, Conficker spreads using a variety of techniques. It exploits a Windows bug to attack computers on a local area network, and it can also spread via USB devices such as cameras or storage devices.

All variants of Conficker have now infected about 10.5 million computers, according to SRI.

More about Conficker on ZDNet:

Topics: Security, CXO

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

31 comments
Log in or register to join the discussion
  • Welcome to WINDOWS!!! :)

    <b> Awesome I do NOT use Windows - RHEL here so they can enjoy Windookes Servers! </b>

    :)
    Christian_<><
    • Welcome to last November

      when this was patched.
      rtk
      • Also welcome to your pirated copy of Windows

        When looked at geographically, Conficker infection rates are [b]very[/b] closely tied to Windows piracy rates. If you live in North America or Europe and are using a genuine copy of Windows, you have nearly 0 chance of getting this thing. If you have patched your machine in the last 4 months, you have a 0% chance of getting this thing [b]unless[/b] you manually give the trojan installer your administrator permission to proceed. The ZDNet talkback community has already stated that trojans that require manual privilege escalation don't count as malware so this means that Conficker doesn't count as malware. These are the rules as described by ABMers so you have to know that they are correct.
        NonZealot
        • So...Houston Court System and French Navy are pirates?

          http://www.pcworld.com/article/159224/conficker_worm_sinks_french_
          navy_network.html

          http://www.softsecurity.com/news/highlights/houston-justice-system-
          laid-low-by-conficker-worm.html

          No...these guys and millions of other legal Windows users just somehow
          forgot to install the patches. Perhaps the systems MS uses for sending
          out patches need some work??... or is this just a 'blame the user'
          situation?
          UGottaBKidding
          • Yup, it's a blame the administrator situation.

            leaving vulnerabilities unpatched for months on end can only be the administrator's fault, regardless of OS vendor.

            You know this, but it doesn't fit into your twisted world view, so you disregard it.
            rtk
          • Prove it is millions

            The stats are that 1% of conficker infections are in the US and Europe. Since the number of infections seems to be around 10 million, that means 100,000 US and Europe Windows users were hit. So right off the bat, your "millions" number is wrong.

            [i]legal Windows users just somehow forgot to install the patches[/i]

            Nope, pirates are more likely not to install patches. [b]100% of all patched systems are safe from the viral portion of Conficker. If you are patched and you got infected it is because Conficker asked to be installed and you manually gave it permission to.[/b] Got it?

            [i]Perhaps the systems MS uses for sending
            out patches need some work??[/i]

            You mean MS should send out patches and force install them on customer's machines? Uh huh. 100% of all infected systems had the opportunity to install the patch. The machine's administrator chose not to.

            [i]or is this just a 'blame the user'
            situation?[/i]

            You tell me. If an Apple or Linux user got attacked through a vulnerability that was patched 4 months ago or if they ran a trojan and when asked, manually gave that trojan admin rights, would you consider that to be a "blame the user" situation? Sorry, you won't get away with your double standards here. :)
            NonZealot
          • mission critical

            In mission critical areas... blood banking is a key example.. the concept
            of 'blame and train' you espouse is just not acceptable. The goal is (and
            must be) to design systems that make it easier for the user to do the
            right thing...for example... so that loading patches is child's play. The
            persistence of the Conficker problem clearly indicates that the current
            approach is not there yet. The answer is to design better systems, not to
            blame the user...regardless of which OS is affected. Although, the fact
            that their OS tends to have a lot more attacks of this kind than others
            would make a reasonable person think that MS would spend more time
            improving their systems for delivering their fixes and patches.
            UGottaBKidding
          • So these are mission critical systems?

            There are only 2 ways that conficker can get onto a machine: an unpatched file share vulnerability and a USB key. Are you now suggesting that these mission critical computers were configured with file sharing turned on and no firewall and that people were allowed to go into the server room and insert USB keys into the computer?

            Every time you post you sound more and more desperate. In principle I agree with you that mission critical systems need to be patched with more care (no matter the OS) but a [b]good[/b] admin will offset that by ensuring that mission critical systems are secured better than non mission critical systems.

            No matter how you try to twist it, it all comes down to incompetent admins. Either they didn't patch when they should have or they did a [b]terrible[/b] job of securing their mission critical systems. Which would you prefer to go with?
            NonZealot
        • NZ, don't you realize...

          ...that when you try to use truth & logic, it flies so far over their head, they can't even feel the breeze?
          MGP2
          • Once again, insult and irrelevance...

            Insult and irrelevance instead of, God-forbid, well-reasoned argument.
            The facts are simple. Conficker exists and persists. Blaming the
            User/Adminstrator is valid...but only goes so far unless you assume that
            Windows is perfect.
            Persons whose business it is to manage product quality believe that
            every mistake is an opportunity for improvement (well... the good ones
            do). Conficker's persistence indicates just such an opportunity. I hope the
            people in Redmond grab it with both hands and thereby help reduce the
            likelihood and impact of the next piece of Conficker-like malware that
            will come down the pike.
            UGottaBKidding
      • More like October 23rd, 2008...

        That was the date MS released the patch - out of band - to the world.
        Wolfie2K3
    • I made a polite request

      Again you have made a blunder good sir I feel
      you have not given my last request a serious
      view.
      again I understand that you are a Red Hat
      Environment Lackey and we do respect you
      opinion on linux /unix/and redhat.
      but I think you may have miss took this forum.
      Again this is a windows forum and would only
      ask that you keep you reply to the stated topic
      in the future you may inadvertently cause
      confusion by posting in such a manner.

      thanks again for your future compliance

      UNHOLYTECH

      unholytech
      • Re: polite request

        Again you have made a mistake in thinking Windoows is the ONLY operating system available for mankind.


        There are other options than the Communist NON-choice on users that are being exploited by constant viruses/worms costing consumers and businesses millions in untold damages.

        Thanks again for your future compliance

        Choice
        Christian_<><
        • Why do the linux advocates

          always act in such a confrontational and derogatory manner?

          It reflects badly on the Linux community as a
          whole.
          honeymonster
          • Re: why do...

            <b> Why do consumers only get one operating system and why does everything have to be 'Windoows' </b>
            Christian_<><
          • odd

            [i]Why do consumers only get one operating system and why does everything have to be 'Windoows'[/i]

            Last I heard Macs were readily available... wait.. lemme check on that for you.....

            Yep, they're still selling them. Next.
            Badgered
          • I think he left out one word that would invalidate your response

            [i]Why do consumers only get one [b]good[/b] operating system and why does everything have to be 'Windoows'[/i]

            That eliminates OS X. :)
            NonZealot
        • hmmmmmm......

          all I asked is that you keep you posts to the
          topic at hand not put your slight of UNIX in to
          it.
          all I see you posting is about red hat instead
          of telling everyone that you are blind to the
          issue because of unix and its core structure
          try being a little open to the conversation and
          truly talk about it.

          we all know that unix and linux are good for
          there jobs and what not but not everyone feels
          the same.
          I deal with all sorts so I have a true
          understanding of choice I try not to push any
          one one way or the other I give them CHOICE.

          so please practice what you preach and try to
          allow the people who made there choice to talk
          about the issue in there own way and not try to
          ram you pseudo blind better than views on
          everyone else.

          on topic

          I was thinking that a true heuristic scanner
          couppled with a white list could be of better
          help to aid in diverting a possible infection .

          I know I could be wrong just a thought.
          unholytech
        • Enlighten us...

          [i]Again you have made a mistake in thinking Windoows is the ONLY operating system available for mankind.[/i]

          Which other ones would you recommend?
          MGP2
          • Re: Linux distro's without worms as standard equipment...

            <b> Well lets see Malware does not affect Linux Servers and by the way there are more Linux servers than any Windoows worm machines. Also, 'point & click' is not a technical skill I heard a dollar store is hiring you might want to check it out! </b> ;)
            Christian_<><