In association with heise online

09 March 2009, 11:57

Conficker modified for more mayhem

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to Symantec the Conficker worm has been modified to cause more damage. Previously the worm had only contacted about 250 domains a day, to look for commands and download new code. Symantec report that there is a new variant of Conficker using an algorithm which will contact up to 50,000 domains a day. The new domain generation algorithm also uses one of a 116 possible domain suffixes.

This is expected to make life harder for anti-virus specialists, ICANN and OpenDNS to block the domains that Conficker will use and makes it much more likely that Conficker will be generating addresses that point to legitimate sites. Although Conficker generates the domain name from a random combination of letters and should be creating domains that point to largely unused addresses, it is possible to find companies who have domains who's names match the generated addresses. For example, the previous generation of the worm is expected to call on March 13th, a domain owned by Southwest Airlines.

The change in domain generation is accompanied by a more aggressive approach to keeping the worm alive. Conficker will now detect a wide range of anti-virus and security software, looking for processes containing strings such as wireshark, unlocker, tcpview, sysclean, regmon and hotfix, and kill those processes in an attempt to remain undetected.

The new strain of Conficker has been dubbed W32.Downadup.C by Symantec. The security company has already observed it being pushed out to systems previously infected with earlier Conficker versions. Estimates of the number of systems already infected with the worm range from several hundred thousand to several millions, which has led to Microsoft offering a $250,000 reward for information leading to the arrest and prosecution of the Conficker creators. So far, no one has claimed that reward.

The question is whether and when the Conficker bot herder will set the infected systems a specific task such as sending spam, orchestrating a denial of service attack or creating a Fast Flux network for phishing. The worm has, fortunately, yet to be set a task and has only been contacting domains and spreading itself through various means, but even that action has been causing some problems for infected sites.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit