Researchers say Conficker is all about the money
The Conficker worm that has infected millions of Windows-based computers will likely be used to send spam and steal data much like one of the nastiest botnets on the Internet does, researchers said on Thursday after finding links between the two worms.
A week after failing to do anything but snore, the much hyped Conficker worm was roused from its slumber on Wednesday, with infected computers transmitting updates via peer-to-peer and dropping a mystery payload onto PCs. Researchers suspect that the payload program may be a keystroke logger, a spam generator, or both.
Conficker now also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com, and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down some functionality on May 3.
In addition, Conficker reaches out to a domain that is known to be infected by a worm called Waledac and downloads an encrypted file. Researchers are analyzing that code and the program that is dropped directly onto infected machines by other infected machines to find out exactly what is in it. And they suspect that Conficker and Waledac are coming from the same people.
"I'm pretty certain the same people are behind both of them," said Paul Ferguson, an advanced threats researcher for Trend Micro. "Conficker has got their (Waledac creators') fingerprints all over it."
Computers infected with Waledac comprise what Ferguson called the "most pernicious spamming botnet on the Internet." Waledac spreads via a malicious Web link or an e-mail, typically a fake Christmas greeting or Valentine's Day message, or with a subject line related to the inauguration of President Obama. It generates spam and steals data, like passwords, from infected computers.
Ferguson said he believes Eastern Europeans are behind the Waledac worm. He suspects they created the Storm botnet to try different payloads and business models and that Waledac resulted from that. Ferguson speculates that they may be putting their lessons learned from earlier efforts into practice with Conficker.
"There is empirical evidence that these guys are a for-hire, for-profit criminal operation on the Internet and that Conficker is nothing more than part of that organization's best efforts to monetize their efforts on the Internet," Ferguson said.
Vincent Weafer, vice president of Symantec Security Response, confirmed the Waledac connection with Conficker, but wouldn't speculate on who exactly might be spreading the worms. The fact that Conficker now downloads a Waledac file "reconfirms our belief that ultimately this is a large botnet designed to make money," he said. "It's the first example of how these guys are trying to leverage this botnet for profit."
As for the May 3 expiration date in the latest Conficker code, Weafer said it appears to be trying to shut down code related to the first variant of Conficker, Conficker.A, which generated more noise on the Internet than later versions did.
Symantec researchers are calling the latest Conficker code that is circulating a new variant of the worm and have dubbed it Downadup.E, with Downadup being another name for Conficker.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.
To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.
People are being urged to be careful in their quest for Conficker removal tools. Marshale8e6 has found spam that takes advantage of the hype over the Conficker worm to scare people into installing fake antivirus software. The e-mail messages claim to be from Microsoft security departments and provide a link to a Web page that does a fake computer scan and prompts the visitor to buy antivirus software that typically does nothing but install malware on the computer.
Also, using search engines to try to find Conficker removal tools is maybe not the best idea. Trend Micro has found that Google searches using terms related to Conficker bring up results that include links to malware. They recommend going directly to the site of a trusted security vendor to get software instead of doing general searches.
Meanwhile, Conficker also has inspired a copycat worm. Neeris, an IRC bot that spreads itself by sending links through MSN Messenger, has been active for a few years, but a new variant has emerged that borrows some behavior from Conficker, such as exploiting the same hole in Windows that Conficker does and spreading via removable storage devices, Microsoft said.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Overall, yes Macs and Linux boxen are safer - not only due to the lack of any real virus for them, but their internal structures make them tougher to 'pwn'.
I know what the fanboys and zealots will say, and yet... Charlie Miller's big 'win' required him to spend a year hunting down an exploitable flaw, and then holding onto that flaw for another year... and he knows the OS inside and out. In spite of this, his exploit requires a user to visit his specially crafted webpage, and under certain lab conditions.
Will Macs get a big ugly reputation for bugs like Windows? I doubt it. There are hundreds of millions of Macs out there right now - yet we don't hear much about them being owned. You'd think that a malware writer would have tapped the market by now, what with near-homogeneous configs and a potential victim pool that obviously has disposable income... I guess Windows is just easier pickings, and criminals aren't exactly known for spending much effort to get what they want...
"Just doesn't roll off the tongue"
This is an internet article that you read. If it is so much trouble for you to read the line "Unpatched Windows computers" in an article, go back to first grade so they can teach you how to read the one extra word in front of "Windows". Stop trying to back up bad media.
The writer/media still spoke the truth - these are Windows machines infected by Conficker. On the flip side, the "pwn2own" contest wasn't perfectly accurate by printing: "Charlie Miller won by having a Mac visit a specially crafted webpage that he built to activate an obscure exploit which he sat on for nearly two years since he had no others he could use".
Such is life.
As for "This is an internet article that you read.", consider that it doesn't matter if it were printed on Dead Tree - unless you're writing an encyclopedia or scientific paper, rnaoncfixd is correct - It doesn't roll off the tongue. So get over your blind zealotry already, and just accept what happened already.
(GNU-)Linux still has issues, like all computing platforms, but most of the serious obstacles to everyday use have pretty much gone away. I use both Windows and Linux daily, and Linux is far less hassle. I also use OSX Leopard every day, but still prefer Linux w/ KDE 3.5x to anything else I've seen.
I'm a linux user. While I love the system to death, I disagree it's less working that leaving automatic updates on in Windows. Maybe Windows XP was tougher (which at one point, since I was on my tech school network which was a malware breeding ground, I had to run 2 separate virus/anti malware programs [together not even using the amount of resources vista would require]).
A linux PC takes a little work and would be a pain in the neck to maintain if you were, say, my mother or sister. Even they can maintain Windows.
@Chapmaniac: Good Luck with that - patching helps, but it is no magic bullet.
Firewalls are certainly no help when a user downloads a malicious package, or visits the wrong website (hint: it gets in through the same port(s) that you established for the session). Firewalls are only good for defending against random attacks that don't use ports you already have open (either temporarily or permanently).
@ZetaZeta: Ubuntu these days is drop-easy to maintain, and not any harder than Windows to install. Even for novices. The days of compiling anything are long gone if you don't want to.
I think we should just let these people with conficker stay infected and stop hyping the media as it really is stupid. You got conficker reinstall your machine.... However most people who got conficker don't have those skills aka not knowing how to use a boot CD. Pretty much except for a couple of scams I bet the conficker victims would be safer than what they are now.
Also why isn't anything with a Microsoft label not called scareware. I bet everyone gets scared when they hear Microsoft. I hear if you say Microsoft 3 times in front of a mirror a cheesy Microsoft ad will appear on the TV...
"We have determined that your computer has been infected based on the traffic your computer sends. please calls us at (number), or visit our offices at (place), or simply re-install your operating system and patch it. At that time, we will reconnect you."
This would solve a lot of problems. The only hard part would be to make sure there were no false positives.
If you get infect from virus. You must use Malwarebytes software from www.malwarebytes.org/ to remove nasty virus off your computer! Also don't forget get Microsoft Malicious Software Removal Tool for your computer to remove viruses too. You must have Firefox or SeaMonkey to hurry download Malwarebytes or Microsoft Malicious Software Removal Tool to bypass Internet Explorer without get problems like virus going download more viruses automatically. Better download good softwares before your computer going crash by viruses!
I really hate Astalavista because have too many viruses, malwares, spywares, worms, etc will infect any computers! I don't know why people love make viruses that come from Astalavista. Astalavista server is based in Europe country. Astalavista is almost same as astatalk, you can find on Google, Yahoo, etc. Very bad one! Why not someone need shut bad website down due to a lot of viruses, spywares, etc to stop making problems?
Very stupid and rude things make us complaint and angry on people making viruses!
macs are cool, lnux is better, just install the updates have nothing to do with anything in the article.
getting paid with money is a bit more mature than getting paid with bragging rights. yeah. hackers grew up. and apple and lnux and windows all tell peeople they don;t have to grow up, just associaye with the right brand and somehow it will all take care of itself.
- by Steve_KTG April 13, 2009 9:55 PM PDT
- It's probably safe to assume that most intricate and obviously time intensive applications like this were indeed created at least in part due to a profit motive. These are also the most troublesome for the average Joe since a crashed computer and a stolen credit card and on different planes in terms of problems caused. No one is bragging on how much they've made so far so we'll see how efficient this program is. As mentioned here http://www.justaskgemalto.com/en/news/cyber-security-community-joins-forces-defeat-conficker-worm; it is a little refreshing to see how the IT etc. community has become the center of attention briefly in order to combat this threat.
- Like this Reply to this comment
-
(28 Comments)