Conficker Worm Makes Its Move, Trend Micro Reports | eWeek

Conficker Worm Makes Its Move, Trend Micro Reports

Écrit par
Brian Prince
Brian Prince
Apr 8, 2009
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Roughly a week after Conficker’s much-anticipated April 1 “big day,” Trend Micro is reporting the presence of a new payload spreading via peer-to-peer between infected computers.

Trend Micro is detecting the payload as WORM DOWNAD.E.

“Basically the component it’s downloading via peer-to-peer is just a dropper-so it drops yet another component, which we are in the process of finalizing analysis on now,” Trend Micro Advanced Threats Researcher Paul Ferguson said in a conversation with eWEEK. “It looks like it has some rootkit capabilities, but beyond that right now I can’t go into any additional detail [because] I don’t have complete information in front of me.”

Interestingly, the component contains an “untrigger date”-May 3-when it will stop running, and connects to the following sites: MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com.

“Some will randomly pick MySpace, some will randomly pick AOL, and it’s just to check to make sure it’s got Internet connectivity and see what the date and the time is to verify that … so you can’t just set your PC to May 4 and be protected before it drops the second component,” Ferguson explained.

There is some evidence that the latest Conficker update is tied to the Waledac malware family. The minds behind Waledac have built a sizable botnet that has been linked to a number of spam campaigns since late 2008.

“This new Downad/Conficker variant is talking to servers which are known already for being associated with the Waledac family of malware, in order to download further malicious components,” blogged Rik Ferguson, solutions architect at Trend Micro. “These components have so far been missing, but could this finally be the ‘other boot dropping’ that we have all been waiting for?”

Researchers at Trend Micro first noticed the component the night of April 7 when they identified a new file in a Windows Temp folder they were monitoring. They also detected a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

Click here to read about five free tools that help fight Conficker.

The new component does not constitute a new threat to users who are not already infected with the worm. On April 1, computers infected with the variant known as Conficker.C began contacting a subset of 500 domains of a list 50,000 Conficker generates daily. Though many were expecting a major update to be delivered that day, many security pros cautioned otherwise.

“There are just so many eyeballs on this right now, they’re trying to blend in with the noise,” Paul Ferguson said. “Even with the component … there was no real, significant increase in the amount of peer-to-peer traffic. The movement to get these new components on infected nodes is going to be very slow and staggered and low-key.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.