We had all been warned: April 1 was the day that the infamous DOWNAD/Conficker worm was supposed to activate and do its dastardly deeds, whatever they might be. The day came and went without a whimper of Conficker-initiated destruction, although that didn’t stop countless media outlets from reporting on it (HotHardware included). Conficker did generate 50,000 domain names and began contacting the domains–as predicted–but no damage was done to infected systems, at least as far as researchers could tell. Other than that, Conficker stayed relatively quiet… That is, until this last Tuesday night…
The cyber-sleuths over at Trend Micro have been closely monitoring a Conficker-infected system, noting that all it had been doing was “the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.” But then at 7:42:21 PDT on April 7, a new file (119,296 bytes) showed up in the system’s Windows/Temp folder. The file arrived on the system via an “encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.”
Credit: Trend Micro
Mere seconds (7:41:23 PDT) after the file was downloaded, the system attempted to access a domain that is known to host the Waledac worm: “The domain resolves currently to an IP that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary.” This had the researchers scratching their heads a bit, trying to figure out what the connection between Conficker and Waledac might be.
After analyzing that first file that downloaded on their system, the researchers have subsequently identified it as a new variant of the Conficker worm, which they are now calling WORM_DOWNAD.E. Some of the facts they discovered about this new variant are:
1. (Un)Trigger Date – May 3, 2009, it will stop running
2. Runs in random file name and random service name
3. Deletes this dropped component afterwards
4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
6. Connects to the following sites:
One of the ways that Conficker is known to spread is via a known vulnerability (MS08-067) in Windows 2000, Windows XP, and Windows Server 2003’s Server service. “The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request.” Conficker can spread through Internet connections as well as through a local network.
The exact number of infected systems is unknown, but is believed to be in the millions. Researchers also still don’t know exactly what Conficker’s payload is meant to do; although they suspect that its ultimate intention is to steal personal information from people’s systems, such as usernames, passwords, and credit card numbers.
Top 10 viruses, worldwide —
cccording to Trend Micro, as of
April 9, 2009 10:58:35 AM (EDT)
Systems with the latest Microsoft Windows updates and virus definition files (as of April 8) should be immune from infection, but this does not necessarily guarantee that a system couldn’t already be infected or that a new variant could make its way into the world before security experts have an opportunity to figure out how to stop it from spreading.
It is also important to note that Conficker is by no means the only malware we need to be vigilant about. Trend Micro just identified a new worm, WORM_NEERIS.A that also takes advantage of the MS08-067 exploit. A peek at Trend Micro’s Virus Map shows the top-10 most active viruses, worldwide. Just the top two viruses combined are estimated to have infected over 12-million systems. The best defense is a good offense: surf safely, be careful what you download, keep your OS and virus definition files updated, and periodically scan your systems for malware.