The Conficker worm that has infected millions of Windows-based computers will likely be used to send spam and steal data much like one of the nastiest botnets on the Internet does, researchers said on Thursday after finding links between the two worms.
A week after failing to do anything but snore, the much hyped Conficker worm was roused from its slumber on Wednesday, with infected computers transmitting updates via peer-to-peer and dropping a mystery payload onto PCs. Researchers suspect that the payload program may be a keystroke logger, a spam generator, or both.
Conficker now also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com, and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down some functionality on May 3.
In addition, Conficker reaches out to a domain that is known to be infected by a worm called Waledac and downloads an encrypted file. Researchers are analyzing that code and the program that is dropped directly onto infected machines by other infected machines to find out exactly what is in it. And they suspect that Conficker and Waledac are coming from the same people.
"I'm pretty certain the same people are behind both of them," said Paul Ferguson, an advanced threats researcher for Trend Micro. "Conficker has got their (Waledac creators') fingerprints all over it."
Computers infected with Waledac comprise what Ferguson called the "most pernicious spamming botnet on the Internet." Waledac spreads via a malicious Web link or an e-mail, typically a fake Christmas greeting or Valentine's Day message, or with a subject line related to the inauguration of President Obama. It generates spam and steals data, like passwords, from infected computers.
Ferguson said he believes Eastern Europeans are behind the Waledac worm. He suspects they created the Storm botnet to try different payloads and business models and that Waledac resulted from that. Ferguson speculates that they may be putting their lessons learned from earlier efforts into practice with Conficker.
"There is empirical evidence that these guys are a for-hire, for-profit criminal operation on the Internet and that Conficker is nothing more than part of that organization's best efforts to monetize their efforts on the Internet," Ferguson said.
Vincent Weafer, vice president of Symantec Security Response, confirmed the Waledac connection with Conficker, but wouldn't speculate on who exactly might be spreading the worms. The fact that Conficker now downloads a Waledac file "reconfirms our belief that ultimately this is a large botnet designed to make money," he said. "It's the first example of how these guys are trying to leverage this botnet for profit."
As for the May 3 expiration date in the latest Conficker code, Weafer said it appears to be trying to shut down code related to the first variant of Conficker, Conficker.A, which generated more noise on the Internet than later versions did.
Symantec researchers are calling the latest Conficker code that is circulating a new variant of the worm and have dubbed it Downadup.E, with Downadup being another name for Conficker.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.
To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.
People are being urged to be careful in their quest for Conficker removal tools. Marshale8e6 has found spam that takes advantage of the hype over the Conficker worm to scare people into installing fake antivirus software. The e-mail messages claim to be from Microsoft security departments and provide a link to a Web page that does a fake computer scan and prompts the visitor to buy antivirus software that typically does nothing but install malware on the computer.
Also, using search engines to try to find Conficker removal tools is maybe not the best idea. Trend Micro has found that Google searches using terms related to Conficker bring up results that include links to malware. They recommend going directly to the site of a trusted security vendor to get software instead of doing general searches.
Meanwhile, Conficker also has inspired a copycat worm. Neeris, an IRC bot that spreads itself by sending links through MSN Messenger, has been active for a few years, but a new variant has emerged that borrows some behavior from Conficker, such as exploiting the same hole in Windows that Conficker does and spreading via removable storage devices, Microsoft said.
One flaw not addressed in yesterday's Patch Tuesday is a heap overflow within the XML parser reported on Wednesday by Bojan Zdrnja of the SANS Internet Storm Center.
The exploit in the wild on Wednesday creates an XML tag, then waits 6 seconds in an attempt to thwart antivirus engines. The exploit could then crash the browser and run malicious code when the browser is restarted. The user must be running Windows XP or Windows Server 2003, and using Internet Explorer 7.
Zdrnja writes that "at this point in time, it does not appear to be wildly used, but as the code is publicly available, we can expect that this will happen very soon."
A Microsoft representative said the company is "investigating new public claims of a possible vulnerability in Internet Explorer. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves."
As for a workaround, Zdrnja suggests using a browser other than Internet Explorer. Microsoft says anyone who has been affected by this exploit can get help online or by calling the PC Safety hotline at 1-866-PCSAFETY.
The daily volume of spam produced by the Storm botnet during 2008.
(Credit: Marshall)The creators of the Storm botnet have either ceased sending out spam or have moved on to a newer botnet, security researchers have concluded.
Marshal, a security vendor that specializes in spam protection, on Tuesday noted a marked downturn in the amount of spam attributed to hosts infected with Storm within the last month. For the last few weeks other researchers have also noticed the sharp decline.
"We don't know what happened here, if somebody put the kibosh on them or not," said Jose Nazario, a security researcher for Arbor Networks. "In terms of the number of hosts out there, there are still a lot of hosts--they're just sort of quiet."
Storm started and got its name from an infected e-mail promising information about a large winter storm in Europe in early 2007.
At its peak, in mid-2007, Storm accounted for up to 20 percent of all spam sent. Then, in September 2007, Microsoft included a removal signature in its Malicious Software Removal Tool. Security experts say that update alone removed up to a quarter million infected hosts and greatly diminished Storm's ability to produce large spam campaigns despite a few attempts earlier this year.
LAS VEGAS--On Wednesday, Joe Stewart, director of malware research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.
He said as far as botnets go, Storm is not particularly sophisticated, nor is it our No. 1 threat. Yet while other botnets come and go, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.
None of this surprising, it's just handled well.
In explaining Storm worm's resiliency compared to newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the command and control server. He said the compression or packing code changes so often in order to thwart antivirus signature files.
Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based, in part, on the date.
Joe Stewart talks about what botnet code is available and what can be found within it.
On Wednesday, the FBI and its partner, the Internet Crime Complaint Center (IC3), warned against a new e-mail campaign being used by the creators of the Storm Worm botnet.
The e-mail uses the the phrase "F.B.I. vs. Facebook" in its subject line and contains a link to view an article about the FBI and Facebook, a popular social networking website. Clicking on the link downloads malicious software onto the victim's computer.
"The spammers spreading this virus are preying on Internet users and making their computers an unwitting part of criminal botnet activity," said the FBI in a press release. "We urge citizens to help prevent the spread of botnets by becoming web-savvy."
The FBI is warning users not to respond to spam e-mail and not to open attachments or links provided within such e-mail, and advising them to validate the legitimacy of the e-mail by typing the organization's Web site address directly into a browser window, rather than clicking on a provided link.
- prev
- 1
- next
