Conficker spreads anew, covers tracks and begins pitching fake AntiVirus

April 10th, 2009

ivanmacalintalTrend Micro virus hunter Ivan Macalintal appears to be the first researcher to identify specific, updated instructions being passed along, node-to-node, among PCs infected with Conficker Variant C.

On April 8, Macalintal isolated an infected PC in Korea that was passing the update across Conficker’s customized P2P network. The PC in Korea received the update from another node on Conficker’s P2P net. Macalintal told LastWatchdog that he also has identified similar P2P transfers taking place amongst Conficker-infected PCs in Thailand.

So the other shoe has fallen. Conficker’s controllers have begun sending malicious payloads to infected PCs. And they did not even have to get infected machines to successfully check in at 500 rendezvous points, randomly selected from 50,000 web domains. You’ll recall this was the new routine activated on all C machines on April Fools Day.  So much for the big debate about the significance of that phone-home routine.

“We did not detect any downloads at the 50,000 domains on April 8,” says Sophos researcher Richard Wang. “Therefore we believe an alternate means of introducing the update was used.”

Taking the easy route

The consensus among half a dozen top researchers contacted by LastWatchdog is that the bad guys took the easiest route available: they simply injected the April 8 update into one of the PCs on its P2P net. After all, the bad guys  all along have had full access to each node in their P2P net.

“The best shot is doing it through P2P,” says Luis Corrons, director of Panda Labs. “It is as easy as having an infected computer connected to the P2P network.”

eric-chien-8_cropSymantec researcher Eric Chien estimates that 1 million to 2 million PCs remain infected with Variant C, and are thus part of Conficker’s P2P network. But Chien said he could not pinpoint how many C machines have received the April 8 update.

“It is definitely over hundreds of thousands,” says Chien. “How any of these C machines will update remains to be seen.”

Presumably a very high percentage of C machines have the update, since there is little to hinder secure node-to-node communications within Conficker’s proprietary P2P network.

But then again, many aspects of the stealthy Conficker remain obscure, despite the full attention paid to it by a couple of hundred of the world’s top virus hunters. “Unfortunately, like we’ve learned in the past, nearly nothing about Conficker is obvious and it takes time to understand all aspects,” observes F-Secure’s Patrik Runald.

Here’s what Conficker C machines with the April 8 update now do:

  • Begins  spreading routines anew. You’ll recall from this timeline that Conficker C in early March shut down the battery of spreading mechanisms on machines infected with Variant B and Variant B++. The April 8 update contains fresh propogation routines. Thus updated C machines are once again scanning the Internet for unpatched Windows PCs to infect, spreading to shared drives, infecting USB devices and using brute-force password attacks to break into any nearby servers. “It has exactly the same propagation features of the first variant,” says Panda Labs director Corrons.
  • Hides its tracks better. The April 8 update changes the distinctive way Conficker machines respond to some standard network connections, a characteristic the good guys have been using as a means to scan the Internet for signs of infected machines. “The latest version of Conficker has changed the code that it uses to respond to these network requests,” says Sophos’ Wang. “This may be an effort to avoid detection by the network scanning tools by making Conficker’s response more like a standard Windows response.” The April 8 update also expands the list of scan-and-cleanup tools which infected machines are instructed to disable or block.
  • Installs fake AntiVirus. In a separate event around the time of the April 8 update, the bad guys also installed a copy of  the Waledac spamming worm, says F-Secure’s Runald. Waledac, in turn, triggered  fake antivirus pitches for “Spyware Protect 2009″ to display on infected machines, says Runald.  Symantec researcher Chien adds:  “The user will see a pop up window appear that will seem to scan the user’s machine. Then a ‘Windows Security alert’ icon will appear, advising the user that his or her machine is infected with multiple fake threats. When the user selects to remove the threats, it will then request you purchase the software. This will redirect you to a Web site to purchase the software for $49.95 USD.”

Kaspersky Labs has a helpful breakdown of this particular strain of fake antivirus sales pitch here.

Fake antivirus sales pitch

Fake antivirus sales pitch

“These criminals are motivated by one thing: money,” says Trend’s Macalintal. “A very large botnet of compromised computers doesn’t make money if it justs sits there doing nothing. So now Conficker has awakened, and perhaps their desire to monetize their efforts is becoming more clear.”