Conficker botnet ready to be split, sold

By Robert Westervelt, News Editor 26 Feb 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Researchers who conducted extensive analysis of the Conficker/Downadup worm found that it's flexible enough to bypass the traditional way a worm receives a payload and many researchers agree that the most lucrative move for the worm's author is to divide the botnet into pieces and sell it off to the highest bidder.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Once sold, the new botnet owner can better target a specific segment and deliver new commands to harvest data such as passwords and account information from a geographic location or a targeted audience.

"There's been surgical changes made," said Phillip Porras of SRI International, who's research report recently addressed the peer-to-peer update method that Conficker could use to get its marching orders.

Microsoft Conficker/Downadup: Microsoft offers $250K bounty for Conficker writer: It's not the first time the software giant issued a reward for information leading to the arrest and conviction of a virus writer. Coalition forms to battle Microsoft worm attack, $250K reward offered: A coalition of more than a dozen organizations is working together to fend off the potential damage posed by the Conficker/Downadup worm. OpenDNS to step up fight against Conficker worm: OpenDNS is teaming with Kaspersky to bulk block Conficker worm domains, shutting off communication with the worm writer.

Porras said he thinks the cybercriminals behind Conficker could use a backdoor rather than the domain generation algorithm being closely monitored and proactively blocked by a coalition of Internet security and DNS organizations. A feature in the worm's coding allows local and remote processes to communicate information to the Conficker process. It allows an external host to connect and upload commands much like data exchanging in peer-to-peer file sharing.

"Clearly they're focused on alternative methods where they can upload binaries to drones and those binaries can be validated by the drones," Porras said.

The peer-to-peer update method gives Conficker an alternative path which bypasses the use of Internet rendezvous points. Porras wrote in his report that the Conficker's authors are moving "away from a reliance on Internet rendezvous points to support binary update and toward a more direct flash approach."

Security researchers say they don't know of any new variants of the worm -- good news since current antivirus can easily detect all known variants.

Because an infected machine has to wait for an updated Conficker variant to attempt to infect it again, the peer-to-peer method isn't the most efficient mechanism, said Marc Fossi, manager of research and development at Symantec Security Response. But the update method does allow the author to split up and break apart pieces of the botnet to sell to other attackers, Fossi said.

SearchSecurity radio:

"The mechanism is there, it's viable and now it's up to whether the originator takes advantage of it and to what extent," Fossi said.

Despite the peer-to-peer method of command delivery available to the worm's author, security researchers will remain glued to the domains used by the worm to phone home. The coalition, announced Feb. 12, was the only way security vendors, DNS vendors and ISPs could proactively disable domains and throw a wrench into the Conficker author's plans. It's near impossible for researchers to get in between Conficker's peer-to-peer update mechanism, Fossi said.

"If those machines are already infected, it's more than likely that they're not up to date on their security patches and AV software, firewalls and so on, and so there's no real way to actively repair those," he said.

Tags: Malware, Viruses, Trojans and Spyware,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Windows Security: Alerts, Updates and Best Practices Exploit code targets Internet Explorer zero-day display flaw Windows 7 DoS flaw allows hackers to freeze Microsoft's newest OS Microsoft patches serious Windows kernel flaws Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary