Conficker wakes up, updates via P2P, drops payload

This story has been updated. See below for details.

The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.

For more information, listen to Larry Magid's audio interview with Perry.

Updated 7:50 p.m. PDT: Added that the software that's dropped onto computers is hiding behind a rootkit.

[Michichael]

So lemme guess this was an attempt to map the internet!

[Mac OS XP]

It makes me feel safe running Windows.

[rhsc]

well, if you want to purposefully never update your system with security fixes, you deserve any **** you get as a result. This bug was patched last year, before conficker was even on the net, so it's pretty inexcusable to actually have it

[Dalkorian]

For home slaves, rhsc is right in that there is no excuse. But enterprise users have been forgotten in that comment, as they can be fired for patching without testing - especially if the patch disrupts the production environment (not an unheard of scenario)!

[Vegaman_Dan]

Dalkorian wrote:

" But enterprise users have been forgotten in that comment, as they can be fired for patching without testing - especially if the patch disrupts the production environment (not an unheard of scenario)!"

A company that waits six months before rolling out a critical security patch also would be looking for an IT director to fire for incompetence. Six months is more than enough time to patch. If you haven't done so by then, then it is highly unlikely it would ever be patched and that person needs to be relieved of their position.

[merlefisher]

In times like these, I'm thankful for my mac

[ScottMo]

And all the others times you're not thankful?

[make_or_break]

"And all the others times you're not thankful?"

LOL.

[SwissJay]

This all just a crock, a scheme to sell antivirus software. And by throwing P2P in there, it's meant to scare a few file-swapping peeps out there that don't know any better. Pfff!

[timber2005]

Funny, I haven't seen advertisements shouting "hey, we can protect you(r stupid self from not updating your system over 6 months ago) from Conficker". All i've seen are warnings. Like "hey, a hurricane is coming, you could be in the path... make preparations."

[baharizan]

are you sure it true?...antivirus vendor+virus programer+????=always having lunch together...peace.

[Veritas_Photo]

Well, I guess I'm one of those "peeps" who doesn't know any better. Please enlighten me. You see, a little less sarcasm and a bit more explanatory cointent might just be useful in your comments here.

[f0r0ne]

These guys impress. As Bob Dylan sang it,

"...something is happening here
But you don't know what it is
Do you, Mister Jones?"

[tehrani625]

Can't they just crash the internet already so that I don't have to keep holding my breath? It would be nice if they at least did an attack on the iTunes store.

[chrisszy08]

A windows based worm brining used to bring down an Apple based product. There' something funny about that.

[SergeM256]

They don't want to crash the Internet, they want to steal you bank account numbers and steal your money.

[Steve_KTG]

SergeM256 nailed it. The internet is their getaway vehicle, they need it to get to and from the bank, aka your* bank. It's probably safe to assume the typical consumer expects their updates to deal with this sort of stuff for them nor do they have any incentive to "make sure" they got the latest patch from MSFT. For those out there want to know more how worms like this and this one in particular function I recommend this: http://www.justaskgemalto.com/en/news/cyber-security-community-joins-forces-defeat-conficker-worm site since it's easy to comprehend for non IT specialists..

[n3td3v]

Trendmicro phishing for new customers again.

[iceman721]

Peer 2 peer of course is a way hackers will and have used to spread viruses. Just like they have also used porn sites and social networking. The only way you can be reasonably safe is to run a quality anti-virus security suite that updates it's virus definitions on the regular and make sure automatic updates of Windows are enabled. I have scanned my system for Conflicker and guess what? Nothing. Thanks to Microsoft Automatic Updates & Eset Security Suite. Too many people that use computers daily are still too naive about good security protocol on the internet.

[monkeyfun14]

Talk to most users about anti-virus and they will give you a blank expression and be thinking nerd in the back of there minds.

[tm_anon]

Talk to 90% of users, they'll think antivirus costs too much or that the expired trialware antivirus they have still works. Talk to 9.9 of the remaining percentage of Windows users and they'll think you're a nerd or that they're too smart to get a virus.

Of course, there's always the .1% left who know about updated antivirus software that doesn't cost money. That's the same group of people who updates dutifully with every patch, right?

Unfortunately, wrong. There are two types of Windows users who update every single time; those who are too dumb to know how to turn auto-updates off and those who realize that updates are a good thing and are really just a single item among many that is necessary in order to have a healthy OS. Unfortunate that so many IT professionals don't fall into either category. It's a field in which there's a lot of dead weight.

[No invasion of privacy]

Quote: " The only way you can be reasonably safe is to run a quality anti-virus security suite that updates it's virus definitions on the regular and make sure automatic updates of Windows are enabled."

"Too many people that use computers daily are still too naive about good security protocol on the internet."

Sorry, but so are you as you are running Windows. The problem is not people having anti-virus software or not. It is not whether they are safe surfers or not. The problem is that Windows is utterly trivial to root once the malware is onto the system. The only way to be truly "safe" is not to use Windows, full stop. It is the worst OS out there in terms of design for security by a long, long, long chalk. There is no other OS that is such a brain-dead, truly idiotic design as Windows. It is impossible for MS to secure it properly because their underlying design ethos was and still is fundamentally flawed. The overhaul of their system design that they should have done for Vista never happened and it is never going to happen. MS continue to put sticking plasters and bandages where they need to do full blown amputations and as a result they are always going to lose - patch up one or two holes, but the other thousands are still there to be exploited and more are always discovered each day than are or can be fixed. You will never be safe if you continue to use Windows on the internet. Never.

Given the quality of the alternatives and the fact that they are all inherently secure *by design* there is simply no excuse to continue using Windows.

[Noneyabeeswax]

"Unfortunately, wrong. There are two types of Windows users who update every single time; those who are too dumb to know how to turn auto-updates off and those who realize that updates are a good thing and are really just a single item among many that is necessary in order to have a healthy OS."

Uh Uh.. I'm fixin' ta rain all over your parade there. I update religiously, everything. But I don't want automatic updates on Windows. I want to look at the updates first to see what they do. Lots of people had probelms with AMD machines and the service pack updates because of automatic updates. I have NEVER run automatic updates. And I probably never will. I have a brain. I;m not too lazy to take a few minutes to check out an updates page.

If you don't have enough sense to check the Windows updates site, then I feel for you. I also read the security bulletins and the release notes. So be careful with your generalizations.

[CheriSigmon]

Iceman721 has provided a succinct, simple summary to which you should pay close attention. This advice applies to *all* users of computers connecting to the Internet.

Just because you may not be using a Windows computer (hit by this particular worm) does NOT mean that you cannot help to spread malware. Please think about that fact carefully, Mac and other OS users. Downadup/conficker is just one of many threats.

Also, consider that the vast majority of PC's infected initially worldwide were those PC's using PIRATED software which cannot be patched from Microsoft because of piracy!

Reflecting on Conficker's creators, whoever they may be: they are NOT amateurs.
This isn't a hoax, a media scheme, or a pitch to make money by reputable security software vendors. To allege that (see snide comment above) is insulting to security professionals and the companies who help to protect you and the infrastructure that some people may take for granted.

I think that Conficker's creators are very patient, in this attack for the "long haul," and are likely profit-motivated. Their design appears to be long-term ownage, not just short-term. Expect more evolution from this one, IMHO. Pros are watching them.

@CheriSigmon
http://www.twitter.com/SecurityQ

[Dalkorian]

Consider how much effort you want to expend to protect the person who keeps running onto the freeway in front of speeding traffic. It's not the world's job to protect the poor idiotic winblows users from themselves. If you run winblows, *AND* you don't update, *AND* you refuse to run AV software - you deserve to get hosed and I have zero pity for you. Period. I can't babysit the entire world just because they don't want to learn how vulnerable they really are with their bad decisions.

[boozie515]

CheriSigmon is right on the money with her comments. They are astute and accurate; IMHO; and well said. Good quality AV is a must, as well as keeping your computer updated with MS updates. Also, I would advise that everyone check to see if their are updates for all the other software on your computer. Many software programs have "holes"; IE; coding errors, that are later patched. This worm is probably still evoling?,who knows? Better safe than sorry.

[ggand4]

So if one's PC is infected, how do one removes this worm? What programs or softwares can remove this worm? Any suggestions?

[ralfthedog]

1. If you must, copy any data you must have to a backup drive (If you can avoid this step, please do).

2. Get a hardware firewall.

3. Run GWSCAN and write 0's to all hard drives on your computer.

4. Reinstall Windows.

5. Run patches.

6. Install the best AV software you can get (Kaspersky recommended for Windows users).

7. If you backed up data off of your computer and you know all patches are in place and your new AV software is in place and updated, you can try to restore your backup data.

[rucknrun]

It is the problems you face when you are successful. Why would someone write a worm to infect 4% of the computer market. Don't worry if Apple and Linux catch on like Windows they will have the same problems.

[uncle4edgar]

i dunno?

[amadensor]

Perhaps it is only 4% of the desktop, but look at public facing web servers, and you will see that other systems are a VERY large target, larger than MS, actually. It is not just about target size, but also about ease of exploitation.

[rapier1]

@Amadensor,

This is very true and its why linux/unix systems are frequently targeted and why breeches are not uncommon.

[No invasion of privacy]

Um, no, no they won't. This is the MS fallacy - that everything else out there is as badly designed and buggy as Windows and it is just because of market share that Windows is hit so much. However, this is total BS. The poor design of Windows is the reason why it is so badly hit, not because of its market share. If Windows only had 30% of the market and Linux/Unix/Mac OS had the majority, it would still be Windows that suffered the most viruses, worms and other forms of malware because it would still be the softest target by such a wide margin that it wouldn't be as worthwhile expending resources going after the much tougher targets of the other OSes. Btw, it isn't because they are perfect and impossible to target or exploit, it is because they are that much *harder* to exploit purely because they were designed properly for security of the system from the get go. Windows never has been and every security measure they put in place is an attempt at patching a sieve so they can sell it to fools as a boat.

[uncle4edgar]

That's right specially in accessing youtube yahoo has many problems concerning security.
Many hackers are committing identity thefts.

[kursawe21]

With all the minds involved how can we be so clueless with this stuff?

Sean R Kursawe

[rexscar]

hey, i found this on a conficker predictions page a month ago:
(http://blog.wired.com/27bstroke6/2009/03/will-conficker.html)

Send out an instruction payload over the Botnet containing the following programs: 1) Vulnerability scanning utility to identify security vulnerabilities on the PC 2) Software distributed binaries (peer to peer) containing patches 3) patching utilities to apply security related patches and OS updates to the PC 4) Utilities to restore the system, E.g. scripts to remove the utilities, remove the bot net installed control services, and attempt to remove any deep residual Botnet installed controllers/patches (in BIOS or EPROM, device firmware...)
RWL

could this RWL be the creator?

[XBOXWiis]

http://countermeasures.trendmicro.eu/new-downadconficker-variant-spreading-over-p2p/

TrendLabs researcher Ivan Macalintal has this evening discovered a new variant of Downad/Conficker called WORM_DOWNAD.E spreading over the peer-to-peer functionality of the previous version of this now infamous worm.

Stay OFF FACEBOOK peeps! Stay AWAY from MySpace. We live in South Carolina, and when the National Weather Service tells us a Hurricane is heading our way and to get the 'ell outta Dodge, WE DO. Listen to the warnings, save your Data, but more imporatatnly, save your identities!!

GodSpeed

[Careakith]

This virus was way more interesting the first time I saw the name and thought it was called CornFlicker

[BtmnHatesRbn]

Oh please.

[The_happy_switcher]

Windows: The antivirus seller's perpetual employment act.

[Vegaman_Dan]

Hello AppleRocks1963. I'm glad to see you are insightful and polite as ever. Please never change- to have you act in a civilized and professional manner might be too much for anyone to take at once. :)

[pegasus4161]

Microsoft Windows ... a virus with mouse support

[The_happy_switcher]

Windows: The antivirus software writer's perpetual employment act.

[Vegaman_Dan]

Thank you for your comments. Now please respect the comments of others as well.

[Veritas_Photo]

Thanks for thoughtfully supplying links to test our PCs for Conficker infection. But (as of 13:10 EDT on Thurs.09.Apr.2009) the link to the "Eyechart" page is repeatedly disfunctional; it is so swamped with hits, apparently, it won't even load. On the opposite end of the spectrum, the University of Bonn page instantly, and I mean no pause whatsoever, shows I'm not infected. Like the old joke, you don't want to hear your brain surgeon say, "Gee, that was fast"! Too fast to be believed.

[homey4u]

They should put these cockroaches who run nasty programs like this on the Internet to be put on an plane
then tossed over the sea to feed the sharks! Them low life skanks!