A new Conficker/Downadup variant is on the loose, one with connections to the Storm botnet.
Conficker.E, as it has been named by several security companies, is infecting computers compromised by previous versions of the worm. Unlike its predecessors, it is dropping a binary that connects to the malicious Waledac worm giving Conficker.E self-propagation abilities. Previous versions, which exploited a remote procedure call vulnerability in Windows Server Services (MS08-067), spread only via peer-to-peer networks or downloads from a variety of URLs.
Waledac is capable of harvesting and forwarding passwords and spreads via email attachments with topical subject lines; previous iterations of Waledac used holiday-related subject lines and tried to lure users to open with promises of an e-card.
"Waledac is used mainly for spam," said Orla Cox, security operations manager with Symantec Security Response. "We believe Waledac is connected with Storm. Waledac uses many of the same techniques as Storm; this one is a new iteration."
Another new twist is that Conficker.E will delete itself on May 3. Cox said the worm is likely giving itself a few weeks to spread and by then, this capability will be less relevant and will make the worm less obvious on an infected system.
Trend Micro advanced threat researcher Paul Ferguson said analysis of the variant has been difficult because some of the worm's binaries have been encrypted. He confirms the crossover between Conficker, Waledac and Storm.
"Some of us expected a new twist to appear at some point in time because it's got the
same fingerprints as the Russian Ukrainian organized crime operations that are probably pulling the strings behind both Conficker and Waledac and may even have been involved in Storm previous to Waledac," Ferguson said. "Most of this stuff is extraordinarily professionally designed."
Cox said Conficker.E has not been as active as previous variants. Systems that are patched against the MS 08-067 vulnerability are protected; most antivirus signatures have been updated in the past 24 hours as well.
"This one has not been as widespread. That may be why we're seeing these worming capabilities," Cox said. "It's getting harder to infect with this method."
Much was expected of Conficker.C on April 1, when it was to download orders from a large list of domains and URLs of command-and-control servers. Researchers, including the collaboration known as the Conficker Working Group had been able to successfully block the malware's efforts and the expected outbreak was a dud.