Conficker Awakes!

Internet Worm carrying damaging software appear to have woken up

by Michael Smith

It would seem, at least according the activities, that the Conficker worm is finally doing something. On April 10th it appeared to be updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, according to Trend Micro.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

Trend Micro researchers have also noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.

As this is an ongoing event, so to speak, I am sure that we shall be seeing a lot more happenings in the next few days and weeks before it is laid to rest, again, for a while.

It pays to be vigilant and therefore beware what you are doing online and what sites you visit. Also, don't go to any sites that someone tells that has a removal tool for this virus and download it unless that is you are sure you are on a reputable site, such as Symantec, Trend Micro, BitDefender, or such. Other sites should be regarded as suspect.

© M Smith (Veshengro), 2009
<>