The Conficker worm that has infected millions of Windows-based computers will likely be used to send spam and steal data much like one of the nastiest botnets on the Internet does, researchers said on Thursday after finding links between the two worms.
A week after failing to do anything but snore, the much hyped Conficker worm was roused from its slumber on Wednesday, with infected computers transmitting updates via peer-to-peer and dropping a mystery payload onto PCs. Researchers suspect that the payload program may be a keystroke logger, a spam generator, or both.
Conficker now also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com, and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down some functionality on May 3.
In addition, Conficker reaches out to a domain that is known to be infected by a worm called Waledac and downloads an encrypted file. Researchers are analyzing that code and the program that is dropped directly onto infected machines by other infected machines to find out exactly what is in it. And they suspect that Conficker and Waledac are coming from the same people.
"I'm pretty certain the same people are behind both of them," said Paul Ferguson, an advanced threats researcher for Trend Micro. "Conficker has got their (Waledac creators') fingerprints all over it."
Computers infected with Waledac comprise what Ferguson called the "most pernicious spamming botnet on the Internet." Waledac spreads via a malicious Web link or an e-mail, typically a fake Christmas greeting or Valentine's Day message, or with a subject line related to the inauguration of President Obama. It generates spam and steals data, like passwords, from infected computers.
Ferguson said he believes Eastern Europeans are behind the Waledac worm. He suspects they created the Storm botnet to try different payloads and business models and that Waledac resulted from that. Ferguson speculates that they may be putting their lessons learned from earlier efforts into practice with Conficker.
"There is empirical evidence that these guys are a for-hire, for-profit criminal operation on the Internet and that Conficker is nothing more than part of that organization's best efforts to monetize their efforts on the Internet," Ferguson said.
Vincent Weafer, vice president of Symantec Security Response, confirmed the Waledac connection with Conficker, but wouldn't speculate on who exactly might be spreading the worms. The fact that Conficker now downloads a Waledac file "reconfirms our belief that ultimately this is a large botnet designed to make money," he said. "It's the first example of how these guys are trying to leverage this botnet for profit."
As for the May 3 expiration date in the latest Conficker code, Weafer said it appears to be trying to shut down code related to the first variant of Conficker, Conficker.A, which generated more noise on the Internet than later versions did.
Symantec researchers are calling the latest Conficker code that is circulating a new variant of the worm and have dubbed it Downadup.E, with Downadup being another name for Conficker.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.
To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.
People are being urged to be careful in their quest for Conficker removal tools. Marshale8e6 has found spam that takes advantage of the hype over the Conficker worm to scare people into installing fake antivirus software. The e-mail messages claim to be from Microsoft security departments and provide a link to a Web page that does a fake computer scan and prompts the visitor to buy antivirus software that typically does nothing but install malware on the computer.
Also, using search engines to try to find Conficker removal tools is maybe not the best idea. Trend Micro has found that Google searches using terms related to Conficker bring up results that include links to malware. They recommend going directly to the site of a trusted security vendor to get software instead of doing general searches.
Meanwhile, Conficker also has inspired a copycat worm. Neeris, an IRC bot that spreads itself by sending links through MSN Messenger, has been active for a few years, but a new variant has emerged that borrows some behavior from Conficker, such as exploiting the same hole in Windows that Conficker does and spreading via removable storage devices, Microsoft said.
This story has been updated. See below for details.
The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.
For more information, listen to Larry Magid's audio interview with Perry.
Updated 7:50 p.m. PDT: Added that the software that's dropped onto computers is hiding behind a rootkit.
As expected, the Conficker worm failed to cause the digital pandemonium that some may have feared.
So, can we all just go back to playing on Facebook and watching the game now?
Not really. Just because the worm failed to create much of a stir on the day it was set to activate, April 1, doesn't mean it won't wake up and act later.
"The (malicious) hackers can tell their worm to do something any day of the year; they're just as likely to do it tomorrow or next Wednesday or in August," said Graham Cluley, a senior technology consultant with Sophos.
Then why the April 1 message in the code?
Cluley says he doesn't know. "This was such an invisible change inside the code. It was inconsequential to the infected computer that maybe (the creators) didn't think there would be such a frenzy," he said.
Today, as on any day, PC users should make sure their systems are patched and running the latest security software. People should patch their systems to close the hole in Windows it exploits and update their anti-virus software. The major anti-virus vendors all have free Conficker removal tools.
The worm also can spread via network shares and removable storage devices like USB thumb drives. So users are advised to use strong passwords when sharing files on a network and to download a patch Microsoft released to address the Autorun feature problem in Windows that makes using removable storage risky.
Oh, and be careful about searching for Conficker removal software on Google. Scammers have managed to get fake security sites among the top searches, Cluley said. Bogus sites are designed to steal your credit card information and could install malware on your computer instead of a legitimate security program.
So, what is the intention behind the worm, anyway? Why all the fuss?
Like many other worms, it's likely the Conficker worm is designed to create a botnet that could be used to send spam, launch denial-of-service attacks to shut down Web sites or steal data from infected computers.
David Perry, global director of security education at Trend Micro, said he suspects that the worm creators will slice up the botnet and sell it to spammers via underground forums, like they did with the Storm worm.
"The funny thing is that everyone has these expectations that come to them from science fiction viruses. In the movies they blow up the terminal, tip over an oil tanker and bring aliens out of the sky," said Perry. "In reality, the kind of thing a botnet does is much less visible. It's a lot more insidious of them to steal your bank password than to blow up your computer."
Hear more about what happened and didn't and why on this CNET podcast.
Update 9:45 a.m. PDT Microsoft is offering a $250,000 reward for information leading to the arrest of whoever is responsible for the Conficker worm, but this isn't the first time the company has done that. Microsoft launched its $5 million Anti-Virus Reward program fund in 2003 and offered $250,000 rewards each for the MSBlast worm, the Sobig virus, the MyDoom virus and the Sasser worm, but only ended up paying out on Sasser.
This post will be updated continually to track activity on the Conficker worm, the latest variant of which had been expected to hit the Internet on April 1. For more background on Conficker, click here or read below.
April 1, 6:35 a.m. PDT: McAfee says its Avert Labs is seeing Conficker-infected hosts attempting to call their "master" to get instructions, but those calls are not getting through. "This could be deliberate and the infected hosts may try again later, perhaps over the weekend when people aren't watching as closely," McAfee spokesman Joris Evers says. Hear more on this podcast. And for more technical details on what the worm is doing, McAfee Avert Labs has an updated blog posting.
April 1, 3:27 a.m. PDT: At F-Secure, a Wednesday morning post says there's still nothing much to report, other than a few April Fools' jokes circulating on the Web:
So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far -- nothing. Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys).
March 31, 7:25 p.m. PDT: Trend Micro's Paul Ferguson reports that things seem quiet. "So far, there's been no significant activity," he said, adding that a Trend Micro researcher in the Philippines reported seeing the same amount of traffic on Wednesday as he had been seeing the past few days in Asia-Pacific.
March 31, 4:00 p.m. PDT: The Conficker worm is stirring on some infected computers in Asia where it's April 1, but so far the activity is very tame, security researchers say.
"We've seen activity in honeypot machines in Asia...They're generating the 50,000 list of (potential) domains to contact," said Paul Ferguson, an advanced threats researcher for Trend Micro.
The latest variant of the worm, Conficker.C, was set to activate on April 1, which for some of the infected machines will happen at local time and for others it will be GMT, depending on whether the machines are turned on and connected to the Internet, he said.
The process seems to be starting slowly, with infected machines starting to generate the list of domains and then picking one domain and trying to contact it and waiting before continuing on through 500 of those 50,000 domains, according to Ferguson.
The owners of the infected computers likely won't notice anything, unless they can't access the Web sites of security vendors and then they will know they are infected, he said. Trend Micro has figured out a way to unblock the computer from the sites that the worm has blocked using a Microsoft networking service, he said. More details are on the Trend Micro site.
"Nothing at this point; we're running updates every half hour or so," Dave Marcus, director of security research for McAfee Avert Labs, said when asked to report what he was seeing. "They're supposed to connect to one of a variety of Web sites and download a piece of code. What that code is supposed to do is up in the air."
IBM ISS's X-Force group also reported that things were quiet, at least for the moment, in Asia where most of the infections are. Nearly 45 percent are in Asia, followed by Europe at about 30 percent, 13.6 percent in South America and 5.8 percent in North America, according to the Frequency X blog.
IBM ISS also said it had found a way for ISPs to detect infected computers on a network by monitoring the peer-to-peer communications the worm makes between infected PCs.
Experts say the worm could be used to steal passwords or other sensitive data from infected computers, or turn them into a botnet that sends out spam.
The worm exploits a vulnerability in Windows that Microsoft patched in October and spreads through weakly protected network shares and via removable storage devices, like USB drives.
Conficker.C also shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It reaches out to other infected computers via peer-to-peer networking, in addition to being programmed to reach out to 500 domains to receive updated copies or other malware instead of just 250 domains as earlier versions did.
Click here for an FAQ about the worm.
The authors of the latest variant of the Conficker worm are upping the ante against security vendors who are working to stop the spread and threat of the persistent program.
Conficker.C shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also is programmed to begin connecting to 50,000 different domains on April 1 to receive updated copies or other malware, as opposed to connecting to 250 domains a day as previous versions are doing, Ben Greenbaum, senior research manager for Symantec Security Response, said on Friday.
The authors of the code are "strengthening their hold on their collection of infected machines at the same time they are attempting to strengthen their ability to control those machines by moving to 50,000 domains," he said.
A self-described "cabal" of companies, including Microsoft, Symantec, and a host of domain registration providers, have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.
Now that Conficker.C is targeting 50,000 domains, the group has its work cut out for it, Greenbaum said. Regardless, "it's unknown at this point whether (boosting the domains) is an effective sidestep around the cabal's actions," he said.
The worm, also called Kido or Downadup, was first detected in November and is believed to have infected more than 10,000 computers. The first two versions exploit a vulnerability that Microsoft patched in October.
The second variant, Conficker.B, was detected last month. It added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.
Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on Friday, Sophos said last week. However, a Southwest spokesman said there had been no impact to the site from any additional traffic as a result of Conficker.
Experts are urging computer users to apply the Microsoft patch and update their antivirus software. And this week, Enigma Software Group and BitDefender announced free Conficker removal tools.
Conficker has proved to be such a nuisance that for information leading to an arrest in the Conficker case.
Symantec has more technical and historical details on Conficker on its Web site.
The Conficker worm, also known as Downadup, is targeting the Web site of Southwest Airlines and could disrupt online flight check-in and other services on March 13 as a result, security firm Sophos warned on Monday.
Mike Wood of SophosLabs Canada did some digging and found that the millions of computers infected with Conficker are programmed to contact wnsux.com, which redirects visitors to the main Southwest.com site, on March 13 to get instructions. That would cause a denial of service, shutting the site down temporarily, he wrote in a blog entry.
The worm is targeting about 7,750 domains, of which Wood said he found that nearly 3,900 are active. But they only resolve to 42 unique IP addresses, he said. Only a handful of those IP addresses are involved in a covert operation of ISPs and others trying to thwart Conficker by pre-registering domains, Wood wrote.
Other sites and potential dates that could be affected by Conficker are music site jogli.com on March 8, Chinese women's network qhflh.com on March 18, and computer phonetics site praat.org on March 31, he said.
"Other, less frequented sites of interest that appeared in the list include 'The Tennesse Dogue De Bordeaux' dog breeders site (tnddb.com, March 14) and the coy 'Double Super Secret Message Board' site (dssmb.com, March 11)," Wood wrote.
Sophos has more information in a statement on its Web site.
The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October. Conficker also spreads via removable storage devices like USB drives, and network shares by guessing passwords and usernames.
Correction, 1:08 p.m. PST: This story initially misstated the amount of the reward. It is $250,000.
Microsoft on Thursday said it is offering a $250,000 reward for information that leads to the arrest and conviction of whoever is responsible for creating the Conficker Internet worm that has infected millions of PCs.
Microsoft said it is offering the reward because the worm constitutes a "criminal attack" and offering compensation should hasten prosecution. Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement.
Microsoft also announced that it has partnered with security companies, domain name providers, and others on a coordinated global response to the worm, also known as Downadup. Participating are: the Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign, NeuStar, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.
The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October.
It also spreads via removable storage devices like USB drives, and network shares by guessing passwords and usernames, which is "causing it to spread like wild fire in the enterprise," Jose Nazario, manager of security research for Arbor Networks, wrote on a company blog.
Coalition members have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.
"The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code," Nazario wrote. "The algorithm for this domain name generation scheme has been cracked (by F-Secure and others) and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated - greatly facilitated - by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in."
Over the past five days, Symantec has observed an average of 453,436 IP addresses infected per day with W32.Downadup.A and 1.7 million IP addresses infected per day with W32.Downadup.B, the company said in a blog posting.
"W32.Downadup is the first successful worm to target a vulnerability in a remote service since W32.Sasser in 2004, and in doing so it has shown that the Internet is still a successful breeding ground for worms," Symantec said.
Infected machines, of which there could be as many as 12 million according to a guesstimate by Arbor Networks, could be used to launch distributed denial-of-service attacks on Web sites or seed a new worm, according to Symantec.
The Waledec worm lures people into downloading malware with the promise of receiving a Valentine.
(Credit: Trend Labs Malware Blog)Security experts are tracking two computer worms that have infected millions of PCs and are creating botnets that can be awakened at any time.
More than 9 million computers have already been infected with the Conficker, or Downadup, worm that spreads via a hole on unpatched Windows machines (Microsoft issued an emergency patch to plug the hole in October), by USB devices and other removable storage devices, and can use a built-in password cracker to guess weak network passwords.
Infected machines send an alert back to a host machine, providing location and other information about the infected machine, and attempt to find other IP addresses to continue spreading. It blocks access to domains where antivirus tools are located and has other programming that makes it difficult to disinfect, Paul Ferguson, an advanced threats researcher for Trend Micro, said on Thursday.
Conficker is rated as a critical threat for Windows 2000, XP, and Windows Server 2003. But beyond spreading, Conficker so far hasn't done much--which has experts worried.
"There may be another boot that's going to drop," Ferguson said. "It's purely speculation, but to have that many PCs out there infected and not doing anything with them doesn't make sense."
And now there is another botnet surfacing from computers that are being infected with a worm called Waledac that attracts victims with a Valentine's Day-related e-mail.
The e-mail contains a link to a page with images of about a dozen hearts on it and asks "Guess which one is for you?" Once an image is clicked on the visitor is prompted to download an executable file which can install malicious code, according to a an advisory issued on Thursday by the United States Computer Emergency Readiness Team. The worm spreads by spamming e-mail addresses on the infected machine.
"Waledec is the new Storm," Ferguson said, referring to the prolific e-mail worm that has been cropping up since at least 2007. "The same people wrote it; it's almost identical to Storm."
In fact, there could be one group behind both Conficker and Waledec/Storm, he speculated. "My suspicions are that they are (the same creators) because there are some hints (in the coding) that indicate that it is being developed by the same organization."
A worm that spreads via removable devices, network shares, and weak administrator passwords--in addition to exploiting a critical Windows vulnerability--is spreading so fast it is becoming an epidemic, a security researcher said on Thursday.
The worm, known as Kido, Conficker, or Downadup, initially exploited MS08-067, a vulnerability considered critical for Windows 2000, XP, and Server 2003. It was patched in October.
Newer variants have been configured to give the worm the ability to infect via other means to get onto the network, said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.
"The Kido authors are trying to get into these networks by infected removable devices and by using other Trojans to install Kido on a computer, which will then try to infect other machines on the local network," he said in an e-mail statement. The worm "is currently causing an epidemic."
An estimated 3.5 million computers are believed to be infected with the worm, ZDNet reports.
- prev
- 1
- next
