The minds behind the infamous Conficker worm are making their move, roughly a week after many people expected. According to Trend Micro security researchers, computers already infected with Conficker are receiving a new payload via peer-to-peer communication.
"Basically the component it's downloading via peer-to-peer is just
a dropper-so it drops yet another component, which we are in the process of
finalizing analysis on now," Trend Micro Advanced Threats Researcher Paul
Ferguson said in a conversation with eWEEK. "It looks like it has some
rootkit capabilities, but beyond that right now I can't go into any additional
detail [because] I don't have complete information in front of me."
Interestingly, the component contains an "untrigger date"-May 3-when
it will stop running, and connects to the following sites: MySpace.com, MSN.com,
eBay.com, CNN.com and AOL.com.
"Some will randomly pick MySpace, some will randomly pick AOL,
and it's just to check to make sure it's got Internet connectivity and see what
the date and the time is to verify that ... so you can't just set your PC to
May 4 and be protected before it drops the second component," Ferguson explained.
There is some evidence that the latest Conficker update is tied to the
Waledac malware family. The
minds behind Waledac have built a sizable botnet that has been linked to a
number of spam campaigns since late 2008.
"This new Downad/Conficker variant is talking to servers which are
known already for being associated with the Waledac family of malware, in order
to download further malicious components," blogged
Rik Ferguson, solutions architect at Trend Micro. "These components
have so far been missing, but could this finally be the 'other boot dropping'
that we have all been waiting for?"
Researchers at Trend Micro first noticed the component the night of
April 7 when they identified a new file in a Windows Temp folder they were
monitoring. They also detected a huge encrypted TCP
response from a known Conficker P2P IP node hosted in Korea.
The new component does not constitute a new threat to users who are not
already infected with the worm. On April 1, computers infected with the variant
known as Conficker.C began contacting a subset of 500 domains of a list 50,000
Conficker generates daily. Though many were expecting a major update to be
delivered that day, many security pros cautioned otherwise.
"There are just so many eyeballs on this right now, they're trying to
blend in with the noise," Paul Ferguson said. "Even with the
component ... there was no real, significant increase in the amount of
peer-to-peer traffic. The movement to get these new components on infected
nodes is going to be very slow and staggered and low-key."