computer and communication: Beware Conficker Awakens, Mutates, Hustles

Reports are all over that a new and interesting version of the Conficker worm is around, and that it is pushing rogue anti-malware to its users. Thus a purpose to the whole endeavor begins to emerge: Money. But the vendor analyses of this new variant are not yet in synch; they disagree on some points and are confused on others.

ESET calls this new variant Win32/Conficker.AQ; the names are really beginning to diverge among the vendors. The new variant is split into client and server components. The server, a Windows device driver, attempts to perform the infections of other systems through the MS08-067 vulnerability in Windows that made Conficker famous, but which had actually been removed from the previous variant. It also sets up an HTTP server on a random TCP port. Curiously, after May 3 the server part of the program will remove itself from the system as of the next reboot.

The client program is a newly-obfuscated version of the old, familiar Conficker program. ESET says the new version dumps the domain name distribution scheme; this seemed clever, but was too susceptible to organized resistance by the industry and authorities. The new version attempts only to communicate through the already established peer network. They also suspect that the Autoun propagation system has been removed from it too, but haven't completed analysis on that point.

ESET has a removal tool for this variant.

Symantec is reporting that the driver patches tcpip.sys in order to increase the number of concurrent connections on the system. They call this variant W32.Downadup.E. Symantec describes the DLL portion as the C variant and that the purpose of the infection is to install that C variant. This isn't exactly what ESET says. Symantec also doesn't say that the Autorun propagation has been removed and they still recommend in their technical description disabling Autorun, but the description of E variant doesn't mention Autorun anymore.

The Microsoft description has more details than most others:


* Before it spreads itself it appends a stream of randomly generated garbage to itself to confuse file identifiers, but this won't be too hard to defeat.

* It establishes the server by using SSDP to find an Internet gateway device and then issues a SOAP command to set up port forwarding to itself. This is UPnP, and router configuration program often do similar things.

Kaspersky's Threatpost then follows through on the business model of Conficker: pushing rogue anti-malware. They report that infected systems are getting popups with warnings that push a $49.95 scam product, SpywareProtect2009. Kaspersky has their own disinfection tool.

More on Conficker:

A New Old Worm Follows in Conficker's Footsteps

Where Are the Infected Conficker Systems?

Conficker Post-Mortem...It Is Dead, Isn't It?

Infected with Conficker? Here's What to Do

Conficker--a Bullet-Proof Botnet?

The 7 Most Important Things to Know About Conficker