So it seems something big was brewing with Conficker, they just didn’t want to do what everyone expected and unleash it on April 1st when all eyes were on them.

Smart move really, they kept quiet and waited a week or so after before dropping some fairly serious and complex payloads (encrypted rootkits).

It seems like they are going for the old ransom tactic and duping users into buying dodgy anti-virus software.

An updated version of the Conficker worm is installing malware that attempts to lure people into buying rogue anti-virus software. Security researchers also say the worm is downloading malware tied to the notorious Waledac botnet.

Conficker’s latest move may be tied to a scheme to lure users into downloading fake anti-virus software.

Security researchers monitoring the Conficker worm’s activities say the malware has been observed downloading a file detected by Kaspersky Lab as FraudTool.Win32.SpywareProtect2009.s.

“Once it’s run, you see the app interface, which naturally asks if you want to remove the threats it’s ‘detected,’” wrote Aleks Gostev on Kaspersky Lab’s Analyst’s Diary blog. “Of course, this service comes at a price—$49.95.”

There is also some links to Waledac a supposed next-gen botnet for spamming purposes that came shortly after the demise of Storm.

It seems like Conficker is not going to be laying dormant any more, perhaps they weren’t making enough from renting out sections to spammers and DDoSers – now they really want to monetize the infected machines they have gathered.

In addition to that file, the worm is also now downloading the Waledac malware, which steals passwords and turns computers into bots for spamming operations. Waledac has emerged as a key part of spamming operations over the past several months, and is widely considered a reincarnation of the infamous Storm botnet.

“Fear is used, universally, as a means to control people,” said Sendio CTO Tal Golan. “Governments use it. Large businesses use it. So it should come as no surprise to anyone that ‘cyber-bad guys’ use it.”

At the moment, the rogue anti-virus software comes from sites located in the Ukraine (131-3.elaninet.com.78.26.179.107) although the worm is downloading it from other sites, according to Kaspersky Lab.

Unsurprisingly the source for much of the rogue software is in Eastern Europe, a hotspot for cybercrime and hackers skilled in malware and cryptography.

There’s some updates from F-Secure here:

New Conficker action

Source: eWeek

So the big Conficker scare of April 1st has passed without any real events, no major sites taken down, no major online terror campaigns spawned.

Just a new more sophisticated, harder to stop version of Conficker updating from a longer list of domains.

It seems like this malware might be here to stay and infecting more and more computers building a formidable network of zombies.

April 1 has come and gone in some parts of the world, and the Conficker worm is still here. While the day in security passed by relatively uneventfully, there are still people at risk.

The doomsday some were predicting the Conficker worm to bring had not materialized as of the evening of April 1. But that hardly means Conficker is a bust.

In short, the Conficker worm did what was expected—generate 50,000 domain names and begin contacting them. According to BKIS, the Bach Khoa Internetwork Security center, 1.1 million PCs in Europe, Asia and a part of America infected with Conficker have already “called home.”

But even though nothing dramatic happened, AVG Technologies Chief Research Officer Roger Thompson warned against blowing the worm off.

It seems like the confirmed infection rate is sitting at just above 1 million, far less than the previously estimated 9 million.

But still 1 million is a formidable arsenal of spam sending machines, or a deadly DDoS network.

There is also the possibility of selling Conficker’s army of infected computers, but that could prove problematic due to the amount of attention it generated. Right now, countless members of the security community, including the Conficker Cabal—formally known as the Conficker Working Group—are keeping tabs on the worm. Even with 50,000 domains in question, those domains are being closely monitored and any malicious servers will likely be noticed before long.

“Given the profile of Conficker, I think it’s rather unlikely that the botnet is up for sale,” said Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab Americas. “Not a lot of people out there would like to handle such hot property, as the botnet is being watched by a lot of people. However, leasing [parts of] the botnet is a different story. That way the leasers would get the advantage of the power of the botnet, but the owners would still be running the risk.”

I think the assumption is fine, they won’t plan on selling the botnet – they will just keep increasing its size and potential and then lease out chunks of it for DDoS attacks and sending spam e-mails.

All this dodgy stuff is big business now, and sadly there doesn’t seem to be anything we can do about it.

Of course we can personally make sure no-one we know gets infected with Conficker, and if they do we can clean it up. But other than that, just observe the fun right?

Source: eWeek

Conficker has gotten quite a lot of news recently with it growing so fast and Microsoft offering a bounty for the authors.

It seems like the Conficker authors are really serious about retaining control of their botnet and expanding it further without hindrance from the companies trying to stop them.

It’s quite likely they are netting some serious cash from the network of infected computers, with estimates at over 10 million now that’s a large collection of computers for brute forcing, e-mail spam or DDoS attacks.

The authors of the latest variant of the Conficker worm are upping the ante against security vendors who are working to stop the spread and threat of the persistent program.

Conficker.C shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also is programmed to begin connecting to 50,000 different domains on April 1 to receive updated copies or other malware, as opposed to connecting to 250 domains a day as previous versions are doing, Ben Greenbaum, senior research manager for Symantec Security Response, said on Friday.

The authors of the code are “strengthening their hold on their collection of infected machines at the same time they are attempting to strengthen their ability to control those machines by moving to 50,000 domains,” he said.

A self-described “cabal” of companies, including Microsoft, Symantec, and a host of domain registration providers, have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.

They are getting sneaky now, targeting security software and services on an infected PC and blocking it from accessing related sites that could help a user fix the infection.

Plus they have expanded their ‘update’ domains to 50,000 – which will take a huge effort to get all of the domains blocked.

I wonder what the next step will be in protecting again this?

Now that Conficker.C is targeting 50,000 domains, the group has its work cut out for it, Greenbaum said. Regardless, “it’s unknown at this point whether (boosting the domains) is an effective sidestep around the cabal’s actions,” he said.

The worm, also called Kido or Downadup, was first detected in November and is believed to have infected more than 10,000 computers. The first two versions exploit a vulnerability that Microsoft patched in October.

The second variant, Conficker.B, was detected last month. It added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on Friday, Sophos said last week. However, a Southwest spokesman said there had been no impact to the site from any additional traffic as a result of Conficker.

I hope this stays as just Conficker, if there’s another large scale breakout we might be in trouble again. There is a way to remove it though, so if you know anyone that has managed to get themselves infected you can give them the below links:

• Enigma Software Group Conficker Removal Tool
• BitDefender Conficker Removal Tool

Source: Cnet (Thanks Navin)

There hasn’t been a viral outbreak of this scale for quite some time, Conficker or Downadup as it’s known was only fairly recently discovered (Oct 2008) and has already infected an estimated 9 million machines!

It’s spreading fast though and it auto-updates itself via downloads from random domains making it almost impossible to stop as whatever countermeasures come out, it can just download itself the latest version and bypass them.

It also has multiple infection vectors including traveling via USB drives.

Infections of a worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is “skyrocketing”.

The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008. Anti-virus firm F-Secure estimates there are now 8.9m machines infected. Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch. In its security blog, F-Secure said that the number of infections based on its calculations was “skyrocketing” and that the situation was “getting worse”.

Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.

The virus targets the services.exe process (Server service) by exploiting the vulnerability associated with the MS08-067 patch.

This was a serious remote execution flaw carried out by making a malformed RPC request, apparently it was reported ‘privately’. But now it seems that perhaps the details of the exploit weren’t that private after all.

According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site. Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down. But Conficker does things differently.

It quite advanced even taking system restore out of the picture and downloading new files to update itself and to infect the machine further. It’s sneaky as it downloads from a bunch of seemingly randomly generated URLs making it very difficult to track and stop.

Many machines are infected in China, Brazil, Russia, and India – personally I think this is because piracy is rife in these areas and Microsoft doesn’t allow pirated copies of Windows to use Windows Update (especially with the WGA tool or Windows Genuine Advantage).

Source: BBC News (Thanks Navin)