The Tech Herald

Conficker Worm fighting back - new variant disables security measures (Update)

by Steve Ragan - Mar 13 2009, 15:00

Update:

Security vendor CA pointed out an interesting bit of information this week. According to them, Conficker has a rather large joke to play next month, and it isn’t funny.

“This worm, detected as Win32/Conficker.C, is getting ready for April Fool’s Day on 1 April, although it definitely won’t be fooling around. On that day, Conficker.C will commence its attempt to generate 50,000 URLs daily and try to access (download or report back to) 500 of them. It is a clever strategy, but the security industry is certainly on the lookout.”

The warning from CA is important, but how will the companies who have teamed up to deal with Conficker handle 50,000 domains, at one time, daily? So far none of them have mentioned any solid plans.

Original article below:

In a previous article, The Tech Herald made a joking reference to Conficker variant C++. It would appear that Murphy’s Law applied, as Symantec is reporting that a new variant of Conficker, version C, is digging trenches and preparing for a long, cold, bitter war against the security researchers who are dedicated to fighting it.

Symantec says they have discovered a new update that is being pushed to some systems infected by the Conficker (Downadup) Worm. The update does’t add any new methods of propagation, but considering that new systems are still being infected daily, the authors of the Worm do not need to update that part of the code, at least not yet.

The new addition is that the new variant targets security researchers, security software, and even security related applications. If the Worm detects processes on an infected system that contain security testing and analysis, or anti-Virus related strings, it kills them. Wireshark, Unlocker, TCPview, filemon, ms08-06, kb958, kb890, confick, hotfix, and downad, are all strings that are killed-off by the Worm.

Another update to the new variant is the domain generation algorithm. Earlier variants would generate 250 domains, which were contacted by the infected system to receive updates and instructions. Researchers cracked the domain generation and started registering and blocking the domains before they could be used, limiting the scope of this method of further infection. However, some domains generated by Conficker turned out to be legit, causing some concern because of an elevated attack vector.

Now, Symantec says the 250 domain limit is gone, replaced by a 50,000-a-day generation algorithm, using one of a possible 116 domain suffixes, such as com, net, org, tv, info, ws, etc.

“These early findings may suggest that the Downadup authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines. Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation. Also, currently we are not seeing an increase in customer infections for this threat but are keeping a close eye on it,” Symantec said.

Last month, SRI International reported about new code in the variant of Conficker named B++, that foreshadowed the possibility that the Worm’s authors were looking for ways to fight the researchers.

“Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach,” the SRI research stated.

If the people behind the Conficker are working to protect the systems they have now, then why would they up the number of generated domains? What no one has been able to ascertain is the planned use for the infected systems.

While the infection rate has slowed, this does not mean that we won’t see a slight boost over the coming months. This is because no matter how good the researchers are, 50,000 domains are hard to fight, and even harder to predict and block before the Worm can access them. All the Worm needs is a few hundred domains, and a quick download of new code to the infected systems. It is this new code, and the concern of what it will do, that bothers most security experts the most.

The odds are stacked against the researchers, but like before, they will work something out. For now, the cat and mouse game keeps going.

Conficker: The Tech Herald’s index of news and information

Around the Web

Comment on this Story

comments powered by Disqus
Security
Index
News
 
Features
Reviews

From Autosaur.com

How to wash a car: The perfect formula

Tests have shown there is a perfect formula for how to wash a car — and boffins have even put it into a mathematical equation. The formula is below, but first a team of car experts found the top five tips for how to wash a car are as follows: 1) Always try to wash [...]

The post How to wash a car: The perfect formula appeared first on Autosaur.

Fastest Car in The World: The ultimate guide

EVERYONE wants to know what the fastest car in the world is and here is a list of the cream of the crop. It gives you a thorough guide as to the main contenders, talks you through the rest of the world’s fastest automobiles, and reveals the two main future potential holders of the most [...]

The post Fastest Car in The World: The ultimate guide appeared first on Autosaur.

World’s first flat-pack truck the OX could help Africa

A flat-pack truck which can be put together by anyone in just half a day has been invented to help people living in remote places in Africa and other parts of the developing world. The OX is shipped in pieces but can be assembled with just three people in 11.5hours — and they need no [...]

The post World’s first flat-pack truck the OX could help Africa appeared first on Autosaur.