New Conficker variant has ties to Storm botnet

Conficker.E drops the malicious Waledac worm giving it the ability to spread to other vulnerable machines, and ultimately send spam.

A new Conficker/Downadup variant is on the loose, one with connections to the Storm botnet.

Conficker.E, as it has been named by several security companies, is infecting computers compromised by previous versions of the worm. Unlike its predecessors, it is dropping a binary that connects to the malicious Waledac worm giving Conficker.E self-propagation abilities. Previous versions, which exploited a remote procedure call vulnerability in Windows Server Services (MS08-067), spread only via peer-to-peer networks or downloads from a variety of URLs.

More on Conficker
Conficker flaw yields new tool for detection: A flaw in the way Conficker infects machines has given security experts the ability to design a new tool to remotely detect infections over the network.
Conficker leaves security industry looking clueless: The true Conficker story may well turn into an introspective of the security industry. It should start with hard questions of security vendors and service providers.
Conficker updates with no problems reported: Despite hyped reports of a trail of destruction, the latest Conficker worm upped the ante April 1, but security researchers are successfully blocking it from receiving orders.

Waledac is capable of harvesting and forwarding passwords and spreads via email attachments with topical subject lines; previous iterations of Waledac used holiday-related subject lines and tried to lure users to open with promises of an e-card.

"Waledac is used mainly for spam," said Orla Cox, security operations manager with Symantec Security Response. "We believe Waledac is connected with Storm. Waledac uses many of the same techniques as Storm; this one is a new iteration."

Another new twist is that Conficker.E will delete itself on May 3. Cox said the worm is likely giving itself a few weeks to spread and by then, this capability will be less relevant and will make the worm less obvious on an infected system.

Trend Micro advanced threat researcher Paul Ferguson said analysis of the variant has been difficult because some of the worm's binaries have been encrypted. He confirms the crossover between Conficker, Waledac and Storm.

"Some of us expected a new twist to appear at some point in time because it's got the
same fingerprints as the Russian Ukrainian organized crime operations that are probably pulling the strings behind both Conficker and Waledac and may even have been involved in Storm previous to Waledac," Ferguson said. "Most of this stuff is extraordinarily professionally designed."

Cox said Conficker.E has not been as active as previous variants. Systems that are patched against the MS 08-067 vulnerability are protected; most antivirus signatures have been updated in the past 24 hours as well.

"This one has not been as widespread. That may be why we're seeing these worming capabilities," Cox said. "It's getting harder to infect with this method."

Much was expected of Conficker.C on April 1, when it was to download orders from a large list of domains and URLs of command-and-control servers. Researchers, including the collaboration known as the Conficker Working Group had been able to successfully block the malware's efforts and the expected outbreak was a dud.

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close