Skip to main content

Conficker, the Internet's No. 1 threat, gets an update

ecurity researchers say a worm that has infected millions of computers worldwide has been reprogrammed to strengthen its defenses while also trying to attack more machines.
Conficker, which takes advantage of a vulnerability in Microsoft's software, has infected at least 3 million PCs and possibly as many as 12 million, making it into a huge botnet and one of the most severe computer security problems in recent years.

Botnets can be used to send spam and attack other Web sites, but they need to be able to receive new instructions. Conficker can do this two ways: it can either try to visit a Web site and pick up instructions or it can receive a file over its custom-built encrypted P-to-P (Peer-to-Peer) network.

Over the last day or so, researchers with Websense and Trend Micro said some PCs infected with Conficker received a binary file over P-to-P. Conficker's controllers have been hampered by efforts of the security community to get directions via a Web site, so they are now using the P-to-P function, said Rik Ferguson, senior security advisor for the vendor Trend Micro.

The new binary tells Conficker to start scanning for other computers that haven't patched the Microsoft vulnerability, Ferguson said. A previous update turned that capability off, which hinted that Conficker's controllers maybe thought the botnet had grown too large.

But now, "it certainly indicates they [Conficker's authors] are seeking to control more machines," Ferguson said.

The new update also tells Conficker to contact MySpace.com, MSN.com, Ebay.com, CNN.com and AOL.com apparently to confirm that the infected machine is connected to the Internet, Ferguson said. It also blocks infected PCs from visiting some Web sites. Previous Conficker versions wouldn't let people browse to the Web sites of security companies.

In another twist, the binary appears to be programmed to stop running on May 3, which will shut off the new functions, he said.

It's not the first time Conficker has been coded with time-based instructions. Computer security experts were bracing for catastrophe on April 1, when Conficker was scheduled to try to visit 500 of some 50,000 random Web sites generated by an internal algorithm in order to get new instructions, but the day passed without incident.

Also worrying is that the new update tells Conficker to contact a domain that is known to be affiliated with another botnet called Waledec, Ferguson said. The Waledec botnet grew in a fashion that was similar to the Storm worm, another large botnet that has now faded but was used to send spam. It means that perhaps the same group could be linked to all three botnets, Ferguson said.

Even though Conficker doesn't appear to have been used yet for malicious purposes, it still remains a threat, said Carl Leonard, a threat research manager for Websense in Europe. The P-to-P functionality indicates a level of sophistication, he said.

"It is evident they've put a lot of effort into gathering this suite of machines," Leonard said. "They want to protect their environment and launch these updates in a way they can best capitalize on them."

Not all computers infected with Conficker will necessarily get updated quickly. To use the P-to-P update functionality, a Conficker-infected PC must search for other infected PCs, a process that isn't immediate, Ferguson.

Related Content

Given that security experts differ vastly over how many computers may be infected with Conficker, it's difficult to say what percentage have the new update.

Trend Micro and Websense both cautioned their findings are preliminary, as the binary update is still being analyzed. Another security vendor, Bach Koa Internetwork Security (BKIS) of Hanoi, Vietnam, disputed the findings, saying that Trend has mistakenly analyzed a file that is related to the Waledec botnet and isn't a Conficker update. BKIS blogged about their opinion.

"We affirm that there hasn't been any P-to-P update of Conficker yet," said Nguyen Minh Duc , manager of the application security department.

Although Microsoft issued an emergency software patch last October, Conficker has continued to take advantage of those PCs which haven't been patched. In fact, some variants of the Conficker will actually patch the vulnerability after the machine is infected so no other malware can take advantage of it.

PKEASE GO TO NETWORK WORLD TO READ THE WHOLE ARTICLE

Comments

Popular posts from this blog

A Golden Age for Cheapskates

In a Lousy Economy, People Dig a Bit Deeper to Turn Up Deals
By Nancy Trejos
Washington Post Staff Writer
Sunday, April 19, 2009

Last fall, the Woodbine, Md., mother of three figured out a great way to get some: online giveaways. She has entered about 40 so far. She has won T-shirts, cleaning products, a small portable vacuum, olive oil, beef jerky and -- best of all -- a Nintendo DS on Web sites such as http://MeTime.com, http://TheMotherhood.com and http://5minutesformom.com.

"The lure of free stuff is quite appealing," she said. "I never considered myself a winner. I don't think I ever won bingo. My name was never drawn from a hat. However, I've been extraordinarily successful at the giveaways."

The recession has emboldened a certain kind of consumer: The mooch. With dwindling retirement savings, a higher cost of living and wobbly job market, they don't just want discounts on items they used to pay full price for without a second thought. They want freebi…

THE ANCIENT SHIP APPEARS AGAIN AT SHORT SANDS YORK BEACH MAINE

A RECENT NOR EASTER HIT THE NEW ENGLAND COAST AND AS THOUGHT THIS WRECK SURFACED AGAIN FROM ITS BURIED DEMISE--The skeleton only appears periodically - the last time was in 2013 - always after a significant coastal storm, and always attracting attention. Archaeological work conducted in 1980 indicated the wreck is a sloop of about Revolutionary War age. It is likely a “pinky,” a type of vessel with a high, narrow stern and square rigging easily maneuverable along the coast of Maine. Pinkies were popular as fishing and cargo vessels. The first sighting of the skeleton was in 1958, and then it has surfaced periodically right up to the present day - and usually after a good spring nor’easter. Word spread quickly about this sighting via social media, and people came over the weekend and on Monday as well. First, they had to navigate the seaweed- and rock-strewn streets of York Beach. They were also precluded from parking cars in most of the Ellis Park lot, which was buried under a layer …

CREATE YOUR OWN MOSAIC

I've always felt a special fascination for mosaics. From Roman tile compositions to current digital collages, I think they're an awesome artistic expression.
That's why I was so happy when I found Andreamosaic.
This tool enables you to create amazing mosaics from your digital pictures in a very easy way.
It requires having a large collection of photos to use as tiles, that's true. Fortunately the installation file already includes a pack of 500 sample photos that produce excellent results.
The program's interface is quite dull; in fact it's simply a gray window with too much text on it. But the mechanics are easy to understand so you'll be creating your own mosaics in no time!
Plus, the program includes a 20-page manual that explains everything thoroughly. Just remember that the more tiles you use, the longer it will take to generate the mosaic and the larger the final file will be.

BY ELENA SANTOS CREATE YOUR OWN MOSAIC

How To Create A Photo Mosaic In Photos…