On MovieTome: Why you didn't see Shatner in TREK
BNET Business Network:
BNET
TechRepublic
ZDNet

February 20th, 2009

New Conficker variant looks same, acts differently

Posted by Andrew Nusca @ 9:27 am

Categories: Security

Tags: Variant, Worm, SRI International, Conficker B++, Cyberthreats, Productivity, Viruses And Worms, Spyware, Adware & Malware, Security, Andrew Nusca

The criminals behind the widespread Conficker worm have released a new version of the malware that looks almost identical to the original but operates much differently, reports PC World.

The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines.

If you get Conficker, your computer is in for a world of hurt: sending spam, logging keystrokes, launching denial of service attacks, and that’s just for starters.

Apparently, an ad hoc group called the “Conficker Cabal” has kept Conficker under control by cracking the algorithm the software uses to find one of thousands of rendezvous points on the Internet where it can look for new code. These rendezvous points use unique domain names that the Conficker Cabal is trying to register and keep out of bad hands.

The new B++ variant uses the same algorithm to look for rendezvous points, but it also gives the creators two new techniques that skip them altogether, posing problems for the Cabal’s current defense.

Conficker underwent a major rewrite in December, when the B variant was released. But this latest B++ version includes more subtle changes, according to Phil Porras, a program director with SRI. “This is a more surgical set of changes that they’ve made,” he said.

According to SRI, there were 297 subroutines in Conficker B; 39 new routines were added in B++ and three existing subroutines were modified. B++ suggests “the malware authors may be seeking new ways to obviate the need for Internet rendezvous points altogether,” according to the report.

Conficker B++ first appeared on Feb. 6, according to one researcher tracking the worm.

Also known as Downadup, Conficker spreads using a variety of techniques. It exploits a Windows bug to attack computers on a local area network, and it can also spread via USB devices such as cameras or storage devices.

All variants of Conficker have now infected about 10.5 million computers, according to SRI.

More about Conficker on ZDNet:

Andrew NuscaAndrew J. Nusca is an associate editor for ZDNet and SmartPlanet. See his full profile and disclosure of his industry affiliations.

Email Andrew NuscaFollow on Twitter

  • Talkback
  • Most Recent of 31 Talkback(s)
it_wk, please stop!
I am a Linux user, I've fought my company's policy very hard to be allowed to use a Linux desktop as my workstation. And as a Linux user, I am embarrassed by your posts here.

ALL ... (Read the rest)
Posted by: erik.soderquist Posted on: 03/03/09 You are currently: a Guest | | Terms of Use
Welcome to WINDOWS!!! happy  Christian_<>< | 02/20/09
Welcome to last November  rtk | 02/20/09
Also welcome to your pirated copy of Windows  NonZealot | 02/20/09
So...Houston Court System and French Navy are pirates?  UGottaBKidding | 02/20/09
Yup, it's a blame the administrator situation.  rtk | 02/20/09
Prove it is millions  NonZealot | 02/20/09
mission critical  UGottaBKidding | 02/20/09
So these are mission critical systems?  NonZealot | 02/20/09
NZ, don't you realize...  MGP2 | 02/20/09
Once again, insult and irrelevance...  UGottaBKidding | 02/20/09
More like October 23rd, 2008...  Wolfie2K3 | 02/23/09
I made a polite request  unholytech | 02/20/09
Re: polite request  Christian_<>< | 02/20/09
Why do the linux advocates  honeymonster | 02/20/09
Re: why do...  Christian_<>< | 02/20/09
odd  Badgered | 02/20/09
I think he left out one word that would invalidate your response  NonZealot | 02/20/09
hmmmmmm......  unholytech | 02/20/09
Enlighten us...  MGP2 | 02/20/09
Re: Linux distro's without worms as standard equipment...  Christian_<>< | 02/20/09
Thank you for showing your hypocrisy!  MGP2 | 02/20/09
Deleted by user  MGP2 | 02/20/09
So, what you're saying is  rtk | 02/20/09
No what I am saying in the following.... wink  Christian_<>< | 02/20/09
What's with the bold?  rtk | 02/20/09
@it_wk: WHEN Linux distro's claim the desktop  MGP2 | 02/21/09
it_wk, please stop!  erik.soderquist | 03/03/09
You have to write these stories, I know...  no_zd_user_name | 02/21/09
Or you could patch your system and not...  Sleeper Service | 02/22/09
Your information is incorrect.  joe.smetona@... | 03/03/09
WIndows vs Linux  alan.douglas@... | 03/03/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and