Conficker Worm Arms Itself To Steal And Spam

The new variant, designated Conficker.E, is arriving through the worm's P2P connectivity.

Thomas Claburn, Editor at Large, Enterprise Mobility

April 9, 2009

3 Min Read
Dark Reading logo in a gray background | Dark Reading

The Conficker/Downadup worm is on the move again. After a relatively uneventful April 1, on which the worm began widening the number of Web sites that it scanned for instructions, a new Conficker variant has emerged and appears to be preparing to spam and steal information.

Symantec said the new Conficker/Downadup variant .E is designed to update version .C rather than the first-generation .A variant.

“In actuality, the primary objective is to update .C with the new features discussed during the briefing and drop Waledac binary onto the .C infected machines,” a company spokesperson said in an e-mail.

Not every security company agrees the malicious code being detected belongs to Conficker. Bkis, a security research firm based in Vietnam, said Thursday that the malware Trend Micro identified is associated with the Waledac worm.

Weafer, however, argues that not all honeypots -- the machines used to collect malware samples -- contain the same samples.

The Conficker/Downadup worm was designed initially to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. It now is capable of multiple attack vectors, including USB devices and brute-force password guessing. It also uses various advanced techniques to escape detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

Somewhere between 1 million and 2 million computers are believed to be actively infected with the malware, down from almost 9 million in January. According to IBM ISS Managed Security Services, the highest number of infections are in Asia (45%), followed by Europe (31%), South America (13.6%), and North America (5.8%), with the rest in the Middle East, Africa, and elsewhere. The new variant, designated Conficker.E, restores the use of the MS08-67 exploit, which was removed in the previous .C variant. It also includes new self-removal instructions that tell the worm to remove itself from an infected host on May 3. And it includes a slightly different list of Web sites from which to seek instructions.

Weafer said the update is arriving through the worm's peer-to-peer connectivity. It looks for the old .A variant and updates it with the improvements seen in version .C, which include better HTTP and P2P code, stronger defense mechanisms, and advanced anti-forensic techniques.

It also drops a binary that's part of the Waledac spam malware. "Waledac is about stealing your confidential information and putting back doors on your system," said Weafer.

Weafer said that because P2P updating is slow compared with other methods, it may be several days before the impact of Conficker's changes become apparent.

As computer security firms assess the risk posed by the Conficker/Downadup worm, the Department of Homeland Security has released a DHS-developed detection tool to help organizations scan for computers infected by the worm.

The DHS US-CERT team created worm-scanning software for federal and state government agencies, commercial vendors, and critical infrastructure owners. It's being made available through the Government Forum of Incident Response and Security Teams Portal and to private-sector partners through various Information Sharing and Analysis Centers.


2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.

This story was edited on April 9 to clarify statements made by Symantec.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights