Conficker worm gets an evil twin
- 20 February, 2009 11:59
- Comments
The criminals behind the widespread Conficker worm have released a new version of the malware that could signal a major shift in the way the worm operates.
The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines.
Conficker-infected machines could be used for nasty stuff -- sending spam, logging keystrokes, or launching denial of service (DoS) attacks, but an ad hoc group calling itself the Conficker Cabal has largely prevented this from happening. They've kept Conficker under control by cracking the algorithm the software uses to find one of thousands of rendezvous points on the Internet where it can look for new code. These rendezvous points use unique domain names, such as pwulrrog.org, that the Conficker Cabal has worked hard to register and keep out of the hands of the criminals.
The new B++ variant uses the same algorithm to look for rendezvous points, but it also gives the creators two new techniques that skip them altogether. That means that the Cabal's most successful technique could be bypassed.
Conficker underwent a major rewrite in December, when the B variant was released. But this latest B++ version includes more subtle changes, according to Phil Porras, a program director with SRI. "This is a more surgical set of changes that they've made," he said.
To put things in perspective: There were 297 subroutines in Conficker B; 39 new routines were added in B++ and three existing subroutines were modified, SRI wrote in a report on the new variant. B++ suggests "the malware authors may be seeking new ways to obviate the need for Internet rendezvous points altogether," the report states.
Porras could not say how long Conficker B++ has been in circulation, but it first appeared on Feb. 6, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site, which has tracked Conficker.
Though he does not know whether B++ was created in response to the Cabal's work, "it does make the botnet more robust and it does mitigate some of the Cabal's work," Support Intelligence CEO Rick Wesson said in an e-mail interview.
Also known as Downadup, Conficker spreads using a variety of techniques. It exploits a dangerous Windows bug to attack computers on a local area network, and it can also spread via USB devices such as cameras or storage devices. All variants of Conficker have now infected about 10.5 million computers, according to SRI.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
- Secure File Sharing in the Cloud: Maximizing the Benefits
- 8 Critical Requirements for Secure Mobile File Sharing
- Lost USB keys have 66% chance of malware
- Email Encryption/Decryption and Signing integrated into a comprehensive content security solution
- Audio Whitepaper | How Not To Get Buried In Data - Part 1
-
Lenovo ordered to pay €1920 for making French laptop buyer pay for Windows too
-
Wikileaks suspect to face US court-martial
-
Wikileaks suspect to face US court-martial
-
Telstra reports issue with BigPond email accounts
-
Samsung Galaxy S II Android phone
-
Office 2007 for Dummies
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Computers for Seniors for Dummies, 2nd Edition
-
Windows 7 for Dummies® Dvd+book Bundle
-
Windows 7 for Seniors for Dummies®
-
MYOB Software for Dummies 6E Australian Edition
-
Windows 7 for Dummies®
-
Microsoft Office
-
Office 2007 All-In-One Desk Reference for Dummies
Get exclusive access to Techworld news, reports & analysis. 
Comments
Post new comment