Another Conficker variant discovered – new version still fighting removal (Update 1)

by Steve Ragan - Apr 8 2009, 23:30

Update: Trend Micro offers more information

Trend Micro has updated its blog with more information on the new Worm variant.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing," wrote Ivan Macalintal, Advanced threats Researcher for Trend.

In addition to the P2P update, Trend Micro also reported that the new Conficker variant will stop running on May 03 of 2009. Moreover, the variant runs with a random filename and random service name, propagates via MS08-067 to external IPs if Internet is available, or it uses local IPs if there is no Internet access. It opens port 5114 so it can act as a HTTP server broadcasting via SSDP. 

What’s odd is that the variant connected to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com. The reasons for the connections are presently unknown.

"Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary," added Macalintal.

"The domain resolves currently to an IP that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary."

Original story:

BitDefender is reporting that it has discovered another variant of Conficker moving about in the wild. The new version uses removal tools for previous versions of the Worm in order to circumvent detection and disinfection. Can we officially call this version 'Conficker D'?

"We found a new variant yesterday, which is very similar to the old one. It blocks more domains and more disinfection tools. As you know, Conficker was already blocking access to security websites and removal tools. Now its list is bigger. It is a minor upgrade to the C version, designed to make disinfection even harder, or to counter the disinfections methods that have appeared," said Vlad Valceanu, BitDefender's Senior Security Researcher while speaking to The Tech Herald.

It appears that this variant has a simple goal insofar as "it is designed to keep its hold on the infected machines," Valceanu explained.

There is currently no word on scope of infection, but it is believed to be relatively small compared to other Conficker variants. Likewise, there is no information on detection methods, but it is assumed that with decent heuristics almost all vendors will catch this new variant. Once TTH has more data we will update this story.

In addition to using removal tools for previous versions to circumvent detection and disinfection, the newest Conficker variant also has a new obfuscation layer that was written to aid the Worm in avoiding detection.

The Tech Herald has learned that, in addition to known stings such as Wireshark, Unlocker, TCPview, filemon, ms08-06, kb958, kb890, confick, hotfix, and downad, the new variant blocks the following:

* precisesecurity
* ms-mvp
* mitre
* enigma
* bdtools
* av-sc
* adware
* activescan
* stinger
* kill
* cfremo
* bd_rem

Security vendor F-Secure maintains a master list containing known strings blocked by Conficker. That list can be perused here.

Every variant of Conficker has something new. The most notable upgrade caused an enormous amount of panic online and a slew of press coverage. That upgrade, located in Conficker C, saw the Worm generate a list of 50,000 domains instead of 250 domains to use as potential update or command center.

"Both this last variant and the well known C variant generate 50000 domain names per day, it is true. But from this list, each virus instance only choses 500 to test, at random, each day. This changes a lot of the assumptions, because this means that even if an update appears on one of the websites, only a small fraction of the virus base would happen to check that domain in a day," Valceanu said.

So while there is a good deal of frustration to be had with this latest version, it is better to keep in mind that this is why it is called a game of cat and mouse.

The Conficker authors saw the good guys were gaining an edge, and duly released a new version to circumvent their efforts. The only way to prevent the Worm’s authors from gaining any solid footing is to remove their ability to infect new systems. Once that is done, the next step is to use all the resources available in order to quickly disinfect compromised systems.

The best protection from any variant of Conficker is to ensure that Windows is patched with all the latest security upgrades. Conficker was only able to spread thanks, in part, to businesses and some home users missing an update addressed in MS08-067. In addition, using legitimate and constantly updated anti-Virus software, no matter which vendor, will protect your system from Conficker infection.

Since some of the vendor tools to detect and remove Conficker are being blocked by the Worm, including those offered by BitDefender, the company has updated its removal links. BDtools.net has been blocked in the new variant of the Worm. To address this, BitDefender has created a new site with the same tools, which is unknown to the Worm at this time.

Finally, The Tech Herald has created a single index of Conficker-related information. This index houses news, protection and mitigation instructions (some with video), as well as a list of removal links and related vendor information and articles.

The link below will take you directly to it.

The Tech Herald: Conficker: The Tech Herald’s index of news and information

Want regular updates from The Tech Herald? Follow us on Twitter.

Around the Web