Skip to main content

Conficker wakes up, drops payload

Andrew Nusca: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

CNET’s Elinor Mills reports that researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

Just yesterday, Zero Day blogger Dancho Danchev noted that a Conficker copycat was already making its rounds.

According to a post on the TrendLabs Malware blog, the awakened worm tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity. It then deletes all traces of itself in the host machine, and is scheduled to shut down on May 3.

Mills reports:

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

“After May 3, it shuts down and won’t do any replication,” Perry said. However, infected computers could still be remotely controlled to do something else, he added.

The development was found when Trend Micro researchers noticed a new file in the Windows Temp folder and a large encrypted TCP response from a known Conficker P2P IP node hosted in Korea:

Two things can be summed up from the events that transpired:

1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

As for the second point, researchers said the worm tries to access a known Waledac domain and download another encrypted file, but they’re still trying to examine the connection.

More Conficker news on ZDNet:

* Dancho Danchev: Fake “Conficker Infection Alert” spam campaign circulating (new!)
* Dancho Danchev: Conficker worm’s copycat Neeris spreading over IM
* Adrian Kingsley-Hughes: Friday Rant - Conficker worm hype
* Ryan Naraine: Eyeballing Conficker with eye-charts and maps
* Tom Espiner: Conficker an April Fool’s joke? Maybe not

Andrew NuscaAndrew J. Nusca is an assistant editor for ZDNet.com. See his full profile and disclosure of his industry affiliations.

Email Andrew Nusca

Comments

Popular posts from this blog

A Golden Age for Cheapskates

In a Lousy Economy, People Dig a Bit Deeper to Turn Up Deals
By Nancy Trejos
Washington Post Staff Writer
Sunday, April 19, 2009

Last fall, the Woodbine, Md., mother of three figured out a great way to get some: online giveaways. She has entered about 40 so far. She has won T-shirts, cleaning products, a small portable vacuum, olive oil, beef jerky and -- best of all -- a Nintendo DS on Web sites such as http://MeTime.com, http://TheMotherhood.com and http://5minutesformom.com.

"The lure of free stuff is quite appealing," she said. "I never considered myself a winner. I don't think I ever won bingo. My name was never drawn from a hat. However, I've been extraordinarily successful at the giveaways."

The recession has emboldened a certain kind of consumer: The mooch. With dwindling retirement savings, a higher cost of living and wobbly job market, they don't just want discounts on items they used to pay full price for without a second thought. They want freebi…

THE ANCIENT SHIP APPEARS AGAIN AT SHORT SANDS YORK BEACH MAINE

A RECENT NOR EASTER HIT THE NEW ENGLAND COAST AND AS THOUGHT THIS WRECK SURFACED AGAIN FROM ITS BURIED DEMISE--The skeleton only appears periodically - the last time was in 2013 - always after a significant coastal storm, and always attracting attention. Archaeological work conducted in 1980 indicated the wreck is a sloop of about Revolutionary War age. It is likely a “pinky,” a type of vessel with a high, narrow stern and square rigging easily maneuverable along the coast of Maine. Pinkies were popular as fishing and cargo vessels. The first sighting of the skeleton was in 1958, and then it has surfaced periodically right up to the present day - and usually after a good spring nor’easter. Word spread quickly about this sighting via social media, and people came over the weekend and on Monday as well. First, they had to navigate the seaweed- and rock-strewn streets of York Beach. They were also precluded from parking cars in most of the Ellis Park lot, which was buried under a layer …

CREATE YOUR OWN MOSAIC

I've always felt a special fascination for mosaics. From Roman tile compositions to current digital collages, I think they're an awesome artistic expression.
That's why I was so happy when I found Andreamosaic.
This tool enables you to create amazing mosaics from your digital pictures in a very easy way.
It requires having a large collection of photos to use as tiles, that's true. Fortunately the installation file already includes a pack of 500 sample photos that produce excellent results.
The program's interface is quite dull; in fact it's simply a gray window with too much text on it. But the mechanics are easy to understand so you'll be creating your own mosaics in no time!
Plus, the program includes a 20-page manual that explains everything thoroughly. Just remember that the more tiles you use, the longer it will take to generate the mosaic and the larger the final file will be.

BY ELENA SANTOS CREATE YOUR OWN MOSAIC

How To Create A Photo Mosaic In Photos…