• On TV.com: Why Is Everyone in TV High School SO OLD
advertisementGet Smart about Business Spending
April 9, 2009 11:43 AM PDT

Researchers say Conficker is all about the money

by Elinor Mills
  • Font size
  • Print
  • 28 comments

The Conficker worm that has infected millions of Windows-based computers will likely be used to send spam and steal data much like one of the nastiest botnets on the Internet does, researchers said on Thursday after finding links between the two worms.

A week after failing to do anything but snore, the much hyped Conficker worm was roused from its slumber on Wednesday, with infected computers transmitting updates via peer-to-peer and dropping a mystery payload onto PCs. Researchers suspect that the payload program may be a keystroke logger, a spam generator, or both.

Conficker now also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com, and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down some functionality on May 3.

In addition, Conficker reaches out to a domain that is known to be infected by a worm called Waledac and downloads an encrypted file. Researchers are analyzing that code and the program that is dropped directly onto infected machines by other infected machines to find out exactly what is in it. And they suspect that Conficker and Waledac are coming from the same people.

"I'm pretty certain the same people are behind both of them," said Paul Ferguson, an advanced threats researcher for Trend Micro. "Conficker has got their (Waledac creators') fingerprints all over it."

Computers infected with Waledac comprise what Ferguson called the "most pernicious spamming botnet on the Internet." Waledac spreads via a malicious Web link or an e-mail, typically a fake Christmas greeting or Valentine's Day message, or with a subject line related to the inauguration of President Obama. It generates spam and steals data, like passwords, from infected computers.

Ferguson said he believes Eastern Europeans are behind the Waledac worm. He suspects they created the Storm botnet to try different payloads and business models and that Waledac resulted from that. Ferguson speculates that they may be putting their lessons learned from earlier efforts into practice with Conficker.

"There is empirical evidence that these guys are a for-hire, for-profit criminal operation on the Internet and that Conficker is nothing more than part of that organization's best efforts to monetize their efforts on the Internet," Ferguson said.

Vincent Weafer, vice president of Symantec Security Response, confirmed the Waledac connection with Conficker, but wouldn't speculate on who exactly might be spreading the worms. The fact that Conficker now downloads a Waledac file "reconfirms our belief that ultimately this is a large botnet designed to make money," he said. "It's the first example of how these guys are trying to leverage this botnet for profit."

As for the May 3 expiration date in the latest Conficker code, Weafer said it appears to be trying to shut down code related to the first variant of Conficker, Conficker.A, which generated more noise on the Internet than later versions did.

Symantec researchers are calling the latest Conficker code that is circulating a new variant of the worm and have dubbed it Downadup.E, with Downadup being another name for Conficker.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.

To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.

People are being urged to be careful in their quest for Conficker removal tools. Marshale8e6 has found spam that takes advantage of the hype over the Conficker worm to scare people into installing fake antivirus software. The e-mail messages claim to be from Microsoft security departments and provide a link to a Web page that does a fake computer scan and prompts the visitor to buy antivirus software that typically does nothing but install malware on the computer.

Also, using search engines to try to find Conficker removal tools is maybe not the best idea. Trend Micro has found that Google searches using terms related to Conficker bring up results that include links to malware. They recommend going directly to the site of a trusted security vendor to get software instead of doing general searches.

Meanwhile, Conficker also has inspired a copycat worm. Neeris, an IRC bot that spreads itself by sending links through MSN Messenger, has been active for a few years, but a new variant has emerged that borrows some behavior from Conficker, such as exploiting the same hole in Windows that Conficker does and spreading via removable storage devices, Microsoft said.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Vulnerabilities & attacks

Tags:

Conficker,

Downadup,

botnet,

Waledac,

Trend Micro,

Storm,

spam

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
VeriSign expects major security update by 2011
Microsoft patching zero-day Windows 7 SMB hole
RSA reveals details behind re-shipping scam
Expert says Adobe Flash policy is risky
Apple updates Safari for security
Microsoft probing Windows 7 zero-day hole
Security considerations for virtual environments
Eastern Europeans charged in payment processor hack
Related
Windows 7 default user account control worries experts
Phishing, worms spike this year, say Microsoft and McAfee
Jailbreakers beware: iPhone malware evolves rapidly
Bank Trojan botnet targets Facebook users
Kaspersky tool detects malware in Twitter links
A child porn-planting virus: Threat or bad defense?
Jailbroken iPhone? SSH installed? Beware of worms!
Spammy scams surfacing on Twitter, Facebook
Add a Comment (Log in or register) (28 Comments)
  • prev
  • 1
  • next
by The_happy_switcher April 9, 2009 11:59 AM PDT
Window PC owners prepare to bend over and grab your ankles.
Reply to this comment
by sythara April 9, 2009 12:47 PM PDT
Once a virus comes out for Mac that is as widely distributed as other viruses I bet you'd be put on scuiside watch.
by Random_Walk April 12, 2009 7:44 AM PDT
For now, yes.

Overall, yes Macs and Linux boxen are safer - not only due to the lack of any real virus for them, but their internal structures make them tougher to 'pwn'.

I know what the fanboys and zealots will say, and yet... Charlie Miller's big 'win' required him to spend a year hunting down an exploitable flaw, and then holding onto that flaw for another year... and he knows the OS inside and out. In spite of this, his exploit requires a user to visit his specially crafted webpage, and under certain lab conditions.

Will Macs get a big ugly reputation for bugs like Windows? I doubt it. There are hundreds of millions of Macs out there right now - yet we don't hear much about them being owned. You'd think that a malware writer would have tapped the market by now, what with near-homogeneous configs and a potential victim pool that obviously has disposable income... I guess Windows is just easier pickings, and criminals aren't exactly known for spending much effort to get what they want...
by Get_Bent April 9, 2009 12:06 PM PDT
Make that "Windows PC owners who were too lazy/stupid to install security updates".
Reply to this comment
by Clarious April 9, 2009 4:51 PM PDT
or maybe they were using a pirated version of Windows and can't/don't want to update
by Random_Walk April 12, 2009 7:46 AM PDT
Some simply cannot, especially in the enterprise. That's the hazard of having custom applications (especially written in VB or .NET) - sometimes a patch breaks things, and if you have to choose between a patch and a mission-critical application, guess which one the boss will demand you sacrifice?
by G-hero47 April 12, 2009 12:23 PM PDT
you speak truths
by sythara April 9, 2009 12:46 PM PDT
I love it how the media spins the "Windows based computers" rather than speaking the truth by saying "Unpatched/unupdated Windows based computers."
Reply to this comment
by rnaoncfixd April 9, 2009 1:31 PM PDT
"Unpatched/unupdated Windows based computers." Just doesn't roll off the tongue. Remember, you only have like 2 seconds to really grab people's attention. That, and you can't twitter something like that. It takes too long.
by zepol22 April 9, 2009 2:57 PM PDT
@rnaoncfixd
"Just doesn't roll off the tongue"

This is an internet article that you read. If it is so much trouble for you to read the line "Unpatched Windows computers" in an article, go back to first grade so they can teach you how to read the one extra word in front of "Windows". Stop trying to back up bad media.
by Random_Walk April 12, 2009 9:09 AM PDT
Sorry campers, but the fact remains - these are Windows machines, patched or not, they are Windows machines. Begging and cajoling for caveats to be jacked into the headline just screams of fanboyism.

The writer/media still spoke the truth - these are Windows machines infected by Conficker. On the flip side, the "pwn2own" contest wasn't perfectly accurate by printing: "Charlie Miller won by having a Mac visit a specially crafted webpage that he built to activate an obscure exploit which he sat on for nearly two years since he had no others he could use".

Such is life.

As for "This is an internet article that you read.", consider that it doesn't matter if it were printed on Dead Tree - unless you're writing an encyclopedia or scientific paper, rnaoncfixd is correct - It doesn't roll off the tongue. So get over your blind zealotry already, and just accept what happened already.
by Chapmaniac April 9, 2009 12:58 PM PDT
All you need to do is make sure you're patched, your firewall is up and you have some measure of a trusted and updated antimalware protection installed. You don't need to run out and buy a Mac and you don't need to install Linux. Now go back to computing as usual...
Reply to this comment
by Vegaman_Dan April 9, 2009 1:01 PM PDT
What people tend to overlook is that even if you do have a Mac or Linux system, there are many people who like to run dual boot or Virtual Machines with Windows to run applications that simply are not avaialble for the other OS platforms. Those installations also need to be protected. Just because you have Windows running on a Mac doesn't make it any less vulnerable.
by Maccess April 9, 2009 1:24 PM PDT
That, and a Linux boot CD with fix-it apps for Windows problems. Ultimate Boot CD is my favorite. Free with dozens of great tools.
by dsbruce April 10, 2009 6:15 AM PDT
Umm... it's way easier to just install Linux than it is to keep up with patches and an updated antivirus/malware program. It's painful to maintain Windows - like slapping bandaids on all the new problems as they surface. Why not just get away from the broken system and be done with it? We waste an incredible amount of time and money just to maintain the "updated antimalware protection".

(GNU-)Linux still has issues, like all computing platforms, but most of the serious obstacles to everyday use have pretty much gone away. I use both Windows and Linux daily, and Linux is far less hassle. I also use OSX Leopard every day, but still prefer Linux w/ KDE 3.5x to anything else I've seen.
by ZetaZeta_ April 10, 2009 12:13 PM PDT
@dsbruce:
I'm a linux user. While I love the system to death, I disagree it's less working that leaving automatic updates on in Windows. Maybe Windows XP was tougher (which at one point, since I was on my tech school network which was a malware breeding ground, I had to run 2 separate virus/anti malware programs [together not even using the amount of resources vista would require]).
A linux PC takes a little work and would be a pain in the neck to maintain if you were, say, my mother or sister. Even they can maintain Windows.
by Random_Walk April 12, 2009 7:53 AM PDT
@Vegaman_Dan: VM's are beautiful. If one gets infected, you simply roll it back to a known good snapshot (or if you're smart, you have a periodic clone to go back to).

@Chapmaniac: Good Luck with that - patching helps, but it is no magic bullet.

Firewalls are certainly no help when a user downloads a malicious package, or visits the wrong website (hint: it gets in through the same port(s) that you established for the session). Firewalls are only good for defending against random attacks that don't use ports you already have open (either temporarily or permanently).

@ZetaZeta: Ubuntu these days is drop-easy to maintain, and not any harder than Windows to install. Even for novices. The days of compiling anything are long gone if you don't want to.
by Maccess April 9, 2009 1:45 PM PDT
Has anyone thought that the Conficker Virus may have something to do with the "Acai Berry" and similar spam that's been going around Instant Messaging the past few weeks? Conficker may be a keylogger of password stealer, it then sends the stolen username/password combination to a server computer which uses the information to log into your accounts and send spam (or worse).
Reply to this comment
by shootfirst April 9, 2009 4:15 PM PDT
Don't mess with ultimate boot cd, get UBCD4WIN as it is much better and for all the, ack what am I saying if you got conficker, you wouldn't be able to understand how to use a boot CD.
I think we should just let these people with conficker stay infected and stop hyping the media as it really is stupid. You got conficker reinstall your machine.... However most people who got conficker don't have those skills aka not knowing how to use a boot CD. Pretty much except for a couple of scams I bet the conficker victims would be safer than what they are now.
Also why isn't anything with a Microsoft label not called scareware. I bet everyone gets scared when they hear Microsoft. I hear if you say Microsoft 3 times in front of a mirror a cheesy Microsoft ad will appear on the TV...
Reply to this comment
by Dalkorian April 10, 2009 11:42 AM PDT
I heard if you stare into a mirror and say "Steve Ballmer" three times in a row you get hit in the head with a chair. I haven't been brave enough to try it though.
by Random_Walk April 12, 2009 9:19 AM PDT
I have a better idea: Have the ISP cut off almost all Internet connectivity, and have a transparent proxy shove the user to a webpage saying:

"We have determined that your computer has been infected based on the traffic your computer sends. please calls us at (number), or visit our offices at (place), or simply re-install your operating system and patch it. At that time, we will reconnect you."

This would solve a lot of problems. The only hard part would be to make sure there were no false positives.
by guest86 April 9, 2009 10:13 PM PDT
This is true story! My computer get infect last year that what virus download fake anti-virus on my computer on year March 2008 from Astalavista or astatalk. On back of desktop wallpaper change to red like warning screen. Know as fake anti-virus or scam that what virus made it. I hate that! Very annoy to us to see fake things. I try think how to remove infect files, really insane to us! I find Malwarebytes' Anti-Malware software and find more than 20 viruses from one powerful virus was download virus files cause computer slow down and got pop ups too. Internet Explorer show in front of screen and download unknown virus to scare us off!

If you get infect from virus. You must use Malwarebytes software from www.malwarebytes.org/ to remove nasty virus off your computer! Also don't forget get Microsoft Malicious Software Removal Tool for your computer to remove viruses too. You must have Firefox or SeaMonkey to hurry download Malwarebytes or Microsoft Malicious Software Removal Tool to bypass Internet Explorer without get problems like virus going download more viruses automatically. Better download good softwares before your computer going crash by viruses!


I really hate Astalavista because have too many viruses, malwares, spywares, worms, etc will infect any computers! I don't know why people love make viruses that come from Astalavista. Astalavista server is based in Europe country. Astalavista is almost same as astatalk, you can find on Google, Yahoo, etc. Very bad one! Why not someone need shut bad website down due to a lot of viruses, spywares, etc to stop making problems?

Very stupid and rude things make us complaint and angry on people making viruses!
Reply to this comment
by grecs April 9, 2009 11:37 PM PDT
This article pretty much states the obvious. Gone are the days of hacking for fame and glory. Now all most care about it is getting paid.
Reply to this comment
by n3td3v April 10, 2009 8:22 AM PDT
Why is nearly every article Elinor Mills writes has Paul Ferguson mentioned in it, is there something we don't know about?
Reply to this comment
by bridge solution April 10, 2009 4:21 PM PDT
Perhaps, at some point in the future, mac and linux devotees and windows fans will otice that thes articles are not about them: they are the system of organizing the connectedness of the internet. so, my machine seems cornficker protected. How does that keep me from getting spam send from infection machines? How dopes that change the next set of heep i will aev to go through doing commerce online because of id thefts.?
macs are cool, lnux is better, just install the updates have nothing to do with anything in the article.
getting paid with money is a bit more mature than getting paid with bragging rights. yeah. hackers grew up. and apple and lnux and windows all tell peeople they don;t have to grow up, just associaye with the right brand and somehow it will all take care of itself.
Reply to this comment
by gertruded April 12, 2009 8:57 AM PDT
Remember, these worms and viruses are only for Windows systems.
Reply to this comment
by G-hero47 April 12, 2009 12:22 PM PDT
And all the people that haven't had the attention span to update since OCTOBER will all be f'ed
Reply to this comment
by Steve_KTG April 13, 2009 9:55 PM PDT
It's probably safe to assume that most intricate and obviously time intensive applications like this were indeed created at least in part due to a profit motive. These are also the most troublesome for the average Joe since a crashed computer and a stolen credit card and on different planes in terms of problems caused. No one is bragging on how much they've made so far so we'll see how efficient this program is. As mentioned here http://www.justaskgemalto.com/en/news/cyber-security-community-joins-forces-defeat-conficker-worm; it is a little refreshing to see how the IT etc. community has become the center of attention briefly in order to combat this threat.
Reply to this comment
(28 Comments)
  • prev
  • 1
  • next
advertisement

A CNET Conversation with Eric Schmidt

CNET's Tom Krazit and Molly Wood sit down with Google CEO Eric Schmidt to discuss the future of Android, the Chrome OS, the problem of real-time search indexing, and more.

Verizon tests sending RIAA copyright notices

The No. 2 phone company, known for its reluctance to intervene in antipiracy cases, strikes an agreement to forward copyright notices on behalf of the music industry.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET