Conficker spreads anew, covers tracks and begins pitching fake AntiVirus

April 10th, 2009

ivanmacalintalTrend Micro virus hunter Ivan Macalintal appears to be the first researcher to identify specific, updated instructions being passed along, node-to-node, among PCs infected with Conficker Variant C.

On April 8, Macalintal isolated an infected PC in Korea that was passing the update across Conficker’s customized P2P network. The PC in Korea received the update from another node on Conficker’s P2P net. Macalintal told LastWatchdog that he also has identified similar P2P transfers taking place amongst Conficker-infected PCs in Thailand.

So the other shoe has fallen. Conficker’s controllers have begun sending malicious payloads to infected PCs. And they did not even have to get infected machines to successfully check in at 500 rendezvous points, randomly selected from 50,000 web domains. You’ll recall this was the new routine activated on all C machines on April Fools Day.  So much for the big debate about the significance of that phone-home routine.

“We did not detect any downloads at the 50,000 domains on April 8,” says Sophos researcher Richard Wang. “Therefore we believe an alternate means of introducing the update was used.”

Taking the easy route

The consensus among half a dozen top researchers contacted by LastWatchdog is that the bad guys took the easiest route available: they simply injected the April 8 update into one of the PCs on its P2P net. After all, the bad guys  all along have had full access to each node in their P2P net.

“The best shot is doing it through P2P,” says Luis Corrons, director of Panda Labs. “It is as easy as having an infected computer connected to the P2P network.”

eric-chien-8_cropSymantec researcher Eric Chien estimates that 1 million to 2 million PCs remain infected with Variant C, and are thus part of Conficker’s P2P network. But Chien said he could not pinpoint how many C machines have received the April 8 update.

“It is definitely over hundreds of thousands,” says Chien. “How any of these C machines will update remains to be seen.”

Presumably a very high percentage of C machines have the update, since there is little to hinder secure node-to-node communications within Conficker’s proprietary P2P network.

But then again, many aspects of the stealthy Conficker remain obscure, despite the full attention paid to it by a couple of hundred of the world’s top virus hunters. “Unfortunately, like we’ve learned in the past, nearly nothing about Conficker is obvious and it takes time to understand all aspects,” observes F-Secure’s Patrik Runald.

Here’s what Conficker C machines with the April 8 update now do:

  • Begins  spreading routines anew. You’ll recall from this timeline that Conficker C in early March shut down the battery of spreading mechanisms on machines infected with Variant B and Variant B++. The April 8 update contains fresh propogation routines. Thus updated C machines are once again scanning the Internet for unpatched Windows PCs to infect, spreading to shared drives, infecting USB devices and using brute-force password attacks to break into any nearby servers. “It has exactly the same propagation features of the first variant,” says Panda Labs director Corrons.
  • Hides its tracks better. The April 8 update changes the distinctive way Conficker machines respond to some standard network connections, a characteristic the good guys have been using as a means to scan the Internet for signs of infected machines. “The latest version of Conficker has changed the code that it uses to respond to these network requests,” says Sophos’ Wang. “This may be an effort to avoid detection by the network scanning tools by making Conficker’s response more like a standard Windows response.” The April 8 update also expands the list of scan-and-cleanup tools which infected machines are instructed to disable or block.
  • Installs fake AntiVirus. In a separate event around the time of the April 8 update, the bad guys also installed a copy of  the Waledac spamming worm, says F-Secure’s Runald. Waledac, in turn, triggered  fake antivirus pitches for “Spyware Protect 2009” to display on infected machines, says Runald.  Symantec researcher Chien adds:  “The user will see a pop up window appear that will seem to scan the user’s machine. Then a ‘Windows Security alert’ icon will appear, advising the user that his or her machine is infected with multiple fake threats. When the user selects to remove the threats, it will then request you purchase the software. This will redirect you to a Web site to purchase the software for $49.95 USD.”

Kaspersky Labs has a helpful breakdown of this particular strain of fake antivirus sales pitch here.

Fake antivirus sales pitch

Fake antivirus sales pitch

“These criminals are motivated by one thing: money,” says Trend’s Macalintal. “A very large botnet of compromised computers doesn’t make money if it justs sits there doing nothing. So now Conficker has awakened, and perhaps their desire to monetize their efforts is becoming more clear.”

Sort by:   newest | oldest | most voted
Razvan Stoica

This was preceded by a minor update, adding stuff to the block list and some stealthiness features.

Now that there’s a payload and it’s less than inconspicuous, it will be interesting to see what tricks the virus writers come up with to try and avoid the attentions of annoyed users.

Geek Squad Agent Derek Meister
And so it begins … In my mind, the two key points to the latest Conficker news is that the worm is making use of its P2P network to distribute updated instructions, and that the worm is making a move to monetize its infected hosts. While the use of a P2P network isn’t new, it does highlight the evolving nature of malicious software communication in order to get around the “digital dragnet” created by the Conficker Cabal to stop access to update servers seeded by the bad guys. Monetizing the infections through the use of fakealert software such as Spyware… Read more »
Agent Chris Miller
Coaxing “Anti-virus” & “Anti-Spyware” programs are anything but new to the scene. While we have been fending off many virus’s of this nature, this new threat simply illustrates how complex the opposing forces have gotten in their efforts to take over PC’s. Here are a few suggestions to keep yourself protected from the “bad guys”: 1. Purchase genuine software that you know can be trusted, and buy directly from a store or trusted online dealer. 2. Keep software up-to-date at all times. 3. Stay clear of sites you are uncertain about. 4.Do not accept, open, or download attachments files from… Read more »
Jonathan Cabuco
I’d definitely have to agree with the monetary gain portion of the posts. During my time as a Geek Squad Agent, I’ve come across more and more infections that attempt to try and get you to purchase things. Only a few years ago, the main focus was on viruses that caused erratic behavior on computers, now we’ve been introduced to a whole on slaught of computers infected with adware. Once these adware infection get installed on your computer, you’ll start to notice a lot more pop ups than before, whether you’re connected to the internet or not. They’re more of… Read more »
the thing that bothers me is that this vulnerability was patched several months ago. i always check for updates and patches regurally, and there is not reason why that average user can’t do that. i mean they update automatically for crying out loud. i think the only solution to this problem is to block unpatched computers from the internet until they are patched. internet service providers should be required to check to see if computers are up to date and have up to date antivirus and antispyware software, and if they don’t then the customer should be notified of such… Read more »
Brian Leban

So if you block a computer from the internet because it isn’t updated, how do they update if they are no longer connected to the internet? Catch 44!


@5: and how the hell are the ISPs supposed to check if your computer is running the up to date operating system, antivirus (for those toy oses that require such) and firewall? Not to mention that some people use GNU/Linux, FreeBSD, NetBSD, Mac OS X, BeOs, Capros or any other operating system other than those from Microsoft on their computers?

Double Agent Christopher Plath
Double Agent Christopher Plath
I think of then new methods of infection as a unique combo of social engineering, exploitation of novice users, and as others have pointed out…in the end it’s all about monetary gain. Somewhere someone is making a buck. I see this quite often in my in-home GeekSquad duties. The bottom line is, we will never be 100% safe from anything. Every time there is a new “fad” that sweeps the internet someone will try to exploit that for their own monetary gain. Remember when dial-up internet was “the thing?” There were viruses then that would make your modem dial 1-900… Read more »
This is how it is: “Hackers” are tired of you petty people who do not know what you are doing stating ideas such as “Internet Service Providers” should be forced to scan home users OS’s and Software for Up-To-Date security descriptions to help keep my computer clean because I don’t know what I am doing when it comes to the internet. Here is a better idea: If you don’t know what you are doing, STAY OFF THE INTERNET YOURSELF, instead of trying to have MY privacy invaded. What software I run is MY business, not yours, not my ISP’s, not… Read more »