Researchers who conducted extensive analysis of the Conficker/Downadup worm found that it's flexible enough to bypass the traditional way a worm receives a payload and many researchers agree that the most lucrative move for the worm's author is to divide the botnet into pieces and sell it off to the highest bidder.
Once sold, the new botnet owner can better target a specific segment and deliver new commands to harvest data such as passwords and account information from a geographic location or a targeted audience.
"There's been surgical changes made," said Phillip Porras of SRI International, who's research report recently addressed the peer-to-peer update method that Conficker could use to get its marching orders.
offers $250K bounty for Conficker writer: It's not the first time the software giant issued a
reward for information leading to the arrest and conviction of a virus writer.
Coalition forms to battle Microsoft worm attack, $250K reward offered: A coalition of more than a dozen organizations is working together to fend off the potential damage posed by the Conficker/Downadup worm.
OpenDNS to step up fight against Conficker worm: OpenDNS is teaming with Kaspersky to bulk block Conficker worm domains, shutting off communication with the worm writer.
Porras said he thinks the cybercriminals behind Conficker could use a backdoor rather than the domain generation algorithm being closely monitored and proactively blocked by a coalition of Internet security and DNS organizations. A feature in the worm's coding allows local and remote processes to communicate information to the Conficker process. It allows an external host to connect and upload commands much like data exchanging in peer-to-peer file sharing.
"Clearly they're focused on alternative methods where they can upload binaries to drones and those binaries can be validated by the drones," Porras said.
The peer-to-peer update method gives Conficker an alternative path which bypasses the use of Internet rendezvous points. Porras wrote in his report that the Conficker's authors are moving "away from a reliance on Internet rendezvous points to support binary update and toward a more direct flash approach."
Security researchers say they don't know of any new variants of the worm -- good news since current antivirus can easily detect all known variants.
Because an infected machine has to wait for an updated Conficker variant to attempt to infect it again, the peer-to-peer method isn't the most efficient mechanism, said Marc Fossi, manager of research and development at Symantec Security Response. But the update method does allow the author to split up and break apart pieces of the botnet to sell to other attackers, Fossi said.
"The mechanism is there, it's viable and now it's up to whether the originator takes advantage of it and to what extent," Fossi said.
Despite the peer-to-peer method of command delivery available to the worm's author, security researchers will remain glued to the domains used by the worm to phone home. The coalition, announced Feb. 12, was the only way security vendors, DNS vendors and ISPs could proactively disable domains and throw a wrench into the Conficker author's plans. It's near impossible for researchers to get in between Conficker's peer-to-peer update mechanism, Fossi said.
"If those machines are already infected, it's more than likely that they're not up to date on their security patches and AV software, firewalls and so on, and so there's no real way to actively repair those," he said.