Gadgetell | Tech News, Reviews, and Interesting Things

Well, the Conficker worm is still alive and well and out there on the move.  Though some thought it was just an April Fool’s joke, the fact that it is still here, still coming up with new mutations, kind of dispels that theory.

Just last week, Symantec detected the latest variant to the Conficker worm, (.E), which is the update to the .C variant.  This one tries to update the previous variant with new capabilities, rogue antivirus software, and new spamming malware. 

We’re not out of the woods yet.

In my opinion, just because this thing didn’t shoot off firecrackers and make a million computers explode on April 1st doesn’t mean it is something to simply ignore.  Nor do I think it is all necessarily overblown media hype.  Yes, if you have your definitions up to date obviously that is in your favor.  But those that don’t, to say “Ahhh…big deal…there have always been viruses out there”...yeah, but not necessarily one of this type and magnitude and complexity.  The simple fact that the total yahoo that created this is playing such a stinking game with the whole thing is what makes it all the more real.  And the fact that (s)he knew how to play such a game so darn well.

The creator(s) changed up their malware several times, adding on new infection vectors and new capabilities.  Conficker also gets around through weak admin passwords.  What it does is attempt to guess them using a password guessing attack.  It also spreads through USB devices.

The University of Utah believes this was how they were just infected.  The Conficker worm infected around 800 computers at the University last week, causing them to block internet access while they contained the infection.  They say they believe that no data was stolen.  “We think we caught it early” said a spokesman with the university’s school of health sciences.

And while it keeps on spreading, it now seems like it’s reaching out for the money.  You know, just like in Jerry McGuire….“Show me the money!!”

After about a week of not doing much at all when everyone was waiting with bated breath to see what it would do on April 1st, Conficker seemed to wake up.  It began transmitting updates via P2P and sticking some mystery package onto PCs.  Most researchers seem to think that the payload program it is putting on the machines is either a keystroke logger or spam generator (or both).

What it does now, is also tries to connect to a random one of five websites: MySpace.com, eBay.com, CNN.com, MSN.com, or AOL.com to test that there is an internet connection. It then deletes all traces of itself in the host machine (how polite!), and has some kind of code written in to shut down some functionality on May 3rd.

Waledac

Now, if we thought it was just disappearing come May 3rd it would be fine and dandy.  Ummm…no.  It also just so happens to reach out to this domain that is KNOWN to be infected by this worm you just may have heard of called Waledac.  There, it downloads an encrypted file.  Researchers are trying to analyze both the code and the program that is being plunked onto infected machines by other infected machines to figure out what is in it.  And what they are pretty darn certain of at this point, is that Conficker and Waledac are coming from the same folks.  Paul Ferguson, an advance threats researcher for Trend Micro says “I’m pretty certain the same people are behind both of them.  Conficker has got their (Waledac creators’) fingerprints all over it.”

He believes that Eastern Europeans are behind the Waledac worm, first creating the Storm botnet to try out different business models and payloads, and that Waledac was a result of that.  He further thinks that they are taking what they learned from that and putting it into practice with the Conficker virus.

“There is empirical evidence that these guys are a for-hire, for-profit criminal operation on the Internet and that Conficker is nothing more than part of that organization’s best efforts to monetize their efforts on the Internet,” Ferguson said.

VP of Symantec Security Response Vincent Weafer, confirmed that Conficker does indeed have a connection with Waledac, but would not speculate on who might be spreading the worms.  He did say however that Conficker now downloading a Waledac file “reconfirms our belief that ultimately this is a large botnet designed to make money,” he said. “It’s the first example of how these guys are trying to leverage this botnet for profit.”

Weafer says he thinks the May 3 shut down code has to do with the first variant of the worm, Conficker.A.  Symantec is calling the latest variant of the worm Downadup.E, since apparently Downadup is another name for Conficker.  (Isn’t one name good enough?)

Staying safe

Piece of advice, be careful if you think you do have it, or when running searches for “Conficker.”  With all the hype out there right now, there are plenty of people more than happy to cash in on that, and are actually going to link you to a malware site of their own.  They will have you run a virus scan, and then have you download their software for a mere $49.95, which then only installs malware on your system.  Don’t.  If you don’t have any virus removal programs on your computer, here are some really good free ones worth checking out. 

If you aren’t even sure if your computer is infected, you can go to this site and check out the Conficker eye chart.