On mySimon: Top Gifts for Him, Her, Mom, Dad & More!
BNET Business Network:
BNET
TechRepublic
ZDNet

April 9th, 2009

Conficker wakes up, updates, drops payload

Posted by Andrew Nusca @ 4:09 am

Categories: Security

Tags: Software, Researcher, Trend Micro Inc., Worm, Computer, Conficker Worm, Productivity, Cyberthreats, Viruses And Worms, Security

The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

CNET’s Elinor Mills reports that researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

Just yesterday, Zero Day blogger Dancho Danchev noted that a Conficker copycat was already making its rounds.

According to a post on the TrendLabs Malware blog, the awakened worm tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity. It then deletes all traces of itself in the host machine, and is scheduled to shut down on May 3.

Mills reports:

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

“After May 3, it shuts down and won’t do any replication,” Perry said. However, infected computers could still be remotely controlled to do something else, he added.

The development was found when Trend Micro researchers noticed a new file in the Windows Temp folder and a large encrypted TCP response from a known Conficker P2P IP node hosted in Korea:

Two things can be summed up from the events that transpired:

  1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
  2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

As for the second point, researchers said the worm tries to access a known Waledac domain and download another encrypted file, but they’re still trying to examine the connection.

More Conficker news on ZDNet:

Andrew NuscaAndrew J. Nusca is an associate editor for ZDNet and SmartPlanet. See his full profile and disclosure of his industry affiliations.

Email Andrew NuscaFollow on Twitter

  • Talkback
  • Most Recent of 175 Talkback(s)
Actually the problem is
Its my opinion that the vast majority of malware problems are the result of:

A. Stupid users that will click on anything that pops up on their screen - frankly, such people will wreck whatever... (Read the rest)
Posted by: nfhiggs@... Posted on: 04/21/09 You are currently: a Guest | | Terms of Use
So basically...  Sleeper Service | 04/09/09
99% of Windows users patch and avoid dodgy files?  storm14k | 04/09/09
I think he meant...  914four | 04/09/09
Anyone with Auto-Update turned on is safe  BillDem | 04/09/09
Conficker hosts and other friends.  talibbash | 04/09/09
Worm?  nimrod666 | 04/09/09
The storm that never was...  Cayble | 04/09/09
10 million infected...  Sleeper Service | 04/09/09
There are only 10 million infected computers in the world?  storm14k | 04/09/09
Conficker, son...  Sleeper Service | 04/10/09
No matter how hard you try, the result is still the same:  InAction Man | 04/09/09
Ya. For the 1% who hit the...  Cayble | 04/09/09
And over one billion Windows users...  Sleeper Service | 04/10/09
Don't hide it, Fight it!  InAction Man | 04/10/09
ye said there were 12 million  914four | 04/09/09
Last time I checked . . .  JLHenry | 04/09/09
Actually it is.  914four | 04/10/09
It depends on where you look for your numbers.  ye | 04/10/09
reply to ye  914four | 04/11/09
Not only is Conficker a non issue...  Cayble | 04/09/09
Feeling remorse?  InAction Man | 04/09/09
Well, first point them out...  Cayble | 04/09/09
Your passion is touching  InAction Man | 04/10/09
RE:Your passion is touching  dougbeer | 04/10/09
You should read "Animal Farm" and then decide  InAction Man | 04/10/09
Uh...  914four | 04/11/09
RE: Conficker wakes up, updates, drops payload  bbmyers | 04/09/09
Not sure what to do? Read this.  andrew.nuscaZDNet Moderator | 04/09/09
Do you have patch MS08-067 installed?  ye | 04/09/09
Maybe he's asking...  storm14k | 04/09/09
That would be risky...  914four | 04/09/09
Because patching is automated.  ye | 04/09/09
How do you know HIS is on?  storm14k | 04/09/09
I never stated his was on. I also clearly said:  ye | 04/09/09
It seems ye can't handle typical Windoze users  hasta la Vista, bah-bie | 04/09/09
Hang on...  zkiwi | 04/09/09
@zkiwi: Learn the difference between UAC and WU.  ye | 04/09/09
zkiwi, do you have that UAC quote for us?  hasta la Vista, bah-bie | 04/09/09
@@hasta la Vista, bah-bie: Here you go:  ye | 04/09/09
So you would recommend leaving UAC off  hasta la Vista, bah-bie | 04/09/09
@hasta la Vista, bah-bie: As I said:  ye | 04/09/09
So it's better to chance on being infected  hasta la Vista, bah-bie | 04/09/09
@hasta la Vista, bah-bie: Does this really need to be explained to you?  ye | 04/09/09
But ye  hasta la Vista, bah-bie | 04/09/09
@hasta la Vista, bah-bie: As I said:  ye | 04/09/09
I'm not spinning anything, ye  hasta la Vista, bah-bie | 04/09/09
@hasta la Vista, bah-bie: How?  ye | 04/09/09
How are you a hypocrite? (rhetorical question)  hasta la Vista, bah-bie | 04/09/09
@hasta la Vista, bah-bie: Yes, you do need to explain it.  ye | 04/10/09
People have a choice, ye  hasta la Vista, bah-bie | 04/10/09
Ya. Ha! That Windows community!  Cayble | 04/09/09
@ hasta la Vista  nfhiggs@... | 04/21/09
I beg your pardon??  Cayble | 04/09/09
How do I tell?  Alzie | 04/09/09
Thanks!  Eleutherios | 04/09/09
Re; nice Windows users ready to help others!  hkommedal | 04/10/09
Re: so how would I know if I "have it"????  Altiris_Grunt | 04/09/09
Try this first  seanferd | 04/09/09
So basically anyone not running a Windows OS is fine  whisperycat | 04/09/09
Or anyone who installed the free patch provided by...  ye | 04/09/09
You're vision doesn't extend beyond your nose.  kozmcrae | 04/09/09
Come on now...  lbhc | 04/09/09
Hate or love.  kozmcrae | 04/09/09
More valid question...  JCitizen | 04/10/09
RE: The fat lady doth protest too much  Col Mustard | 04/14/09
The problems with your argument are:  ye | 04/09/09
re: The problems with your argument is:  n0neXn0ne | 04/09/09
precisely.  gavin142 | 04/09/09
Actually the problem is  nfhiggs@... | 04/21/09
but what about corporations  cwbuechler@... | 04/09/09
Hopefully.  ye | 04/09/09
Maybe they don't take action...  storm14k | 04/09/09
The problem with your argument is these things are enabled...  ye | 04/09/09
Re; these things are enabled...  hkommedal | 04/10/09
@hkommedal: How many times are you going to repeat this dumb...  ye | 04/10/09
n0neXn0ne is right.  kozmcrae | 04/09/09
The problem is many aren't following my list.  ye | 04/09/09
Like turning off UAC?  hasta la Vista, bah-bie | 04/09/09
Re; It's people's unwillingness to follow those recommendations.  hkommedal | 04/10/09
@hkommedal: They have received useful advice from me:  ye | 04/10/09
Isn't that the definition of insanity  xXSpeedzXx | 04/09/09
Exactly.  ye | 04/09/09
Sounded like he was talking about you, ye  hasta la Vista, bah-bie | 04/09/09
except  rtk | 04/14/09
Are you a complete idiot?  AntariMysteec | 04/09/09
Show where I said 'X' operating system is "Free of vulnerabilities".  kozmcrae | 04/09/09
ok  rtk | 04/14/09
"You are" vision doesn't extend beyond your nose?  Grayson Peddie | 04/09/09
Re:You're vision doesn't extend beyond your nose  JOE_HILLENBRAND@... | 04/09/09
We do offer one, but you don't wanna listen  hasta la Vista, bah-bie | 04/09/09
. . . NOT!  sporkfighter | 04/09/09
And yet the infection count makes your "happy tale" a work of fiction  zkiwi | 04/09/09
It does no such thing. What it does is tell us there are...  ye | 04/09/09
If error-free code . . .  sporkfighter | 04/09/09
Error free code is a myth. (nt)  ye | 04/09/09
Nah...  zkiwi | 04/09/09
And they don't.  ye | 04/09/09
Blame the user time (again) huh?  zkiwi | 04/09/09
@zkiwi: If the shoe fits.  ye | 04/09/09
You will also remember that...  zkiwi | 04/09/09
@zkiwi: Your question is just plain stupid.  ye | 04/09/09
Re; It took action to become unprotected.  hkommedal | 04/10/09
@hkommedal: And when they turn it on it will update.  ye | 04/10/09
Re; provided by Microsoft before Conficker existed.  hkommedal | 04/10/09
No, there is not. Unless...  ye | 04/10/09
Re; because of the built in firewall.  hkommedal | 04/10/09
Your earlier argument relied on the fact the computer...  ye | 04/10/09
What you descibe is the wise way to act in this situation.  hkommedal | 04/11/09
Why do you keep arguing with him?  InAction Man | 04/10/09
Re; Why do you keep arguing with him?  hkommedal | 04/11/09
This thing is a walk in the park  zmud | 04/09/09
Isn't that the one that...  914four | 04/09/09
I Heard  apostate | 04/09/09
RE: Conficker wakes up, updates, drops payload  nessrapp | 04/09/09
Sounds to me  ncgmcpherson | 04/09/09
LOL!  eMJayy | 04/09/09
RE: Conficker wakes up, updates, drops payload  the_ghost2006 | 04/09/09
By the numbers....  JCitizen | 04/10/09
RE: Conficker wakes up, updates, drops payload  jrcarter@... | 04/09/09
THIS IS A TEST.  kozmcrae | 04/09/09
Thank Goodness.....  ncgmcpherson | 04/09/09
RE: Conficker wakes up, updates, drops payload  digitrog | 04/09/09
I thought Conficker was supposedly dead....  storm14k | 04/09/09
But ye will tell you there's no issue  hasta la Vista, bah-bie | 04/09/09
The whole ZDNet MS Microbrain crew...  storm14k | 04/09/09
Phony start dates  the_roo62@... | 04/09/09
"ServerBusy"  arthurborges@... | 04/09/09
That is somewhat suspect  apostate | 04/09/09
Next time you see it  seanferd | 04/09/09
Use DNS to prevent it?  davidr69 | 04/09/09
use opendns.com for your dns server instead of isp  ralexgolden | 04/09/09
Yep. Those domains are black-holed with OpenDNS  seanferd | 04/09/09
RE: Conficker wakes up, updates, drops payload  slylabs13 | 04/09/09
Not my experience  bmgoodman | 04/09/09
RE: Conficker wakes up, updates, drops payload  slylabs13 | 04/09/09
RE: Conficker wakes up, updates, drops payload  Loverock Davidson | 04/09/09
The problem is those who think they know better...  ye | 04/09/09
I've been in the support end of the business for years  James Quinn | 04/09/09
I knew I wasn't alone...  storm14k | 04/09/09
Where did I claim everyone has this patch?  ye | 04/09/09
So probably 90% or Windows users....  storm14k | 04/09/09
Huh?  ye | 04/09/09
Don't worry Ye  eb276 | 04/10/09
No, they are only in need of some help.  InAction Man | 04/10/09
Much better to leave them exposed to potential malware infection.  ye | 04/09/09
Been out for 6 months the patch or the exploit?  James Quinn | 04/11/09
No more so than any other OS.  ye | 04/09/09
I'm glad to know you care ye happy  914four | 04/09/09
This shows how unqualified you are:  ye | 04/09/09
For ye  914four | 04/09/09
@914four: Only the clueless think it really matters.  ye | 04/09/09
Reply to ye  914four | 04/10/09
Hogwash  hasta la Vista, bah-bie | 04/09/09
What does the patch do?  James Quinn | 04/09/09
RE: What does the patch do?  WNCSnoopy24 | 04/09/09
While it can spread via USB devices on patched systems...  ye | 04/09/09
You missed a couple of words there.  anothercanuck | 04/09/09
How do we discern the difference between....  David Gale | 04/09/09
RE: Conficker wakes up, updates, drops payload  dev-null | 04/09/09
RE: Conficker wakes up, updates, drops payload  ColdFusion_z | 04/09/09
And the cool thing about Ubuntu is...  914four | 04/09/09
But you missed one:  ye | 04/09/09
re:Trend Micro researchers noticed a new file in the Windows Temp folder  bigmenace1ster@... | 04/09/09
RE: Conficker wakes up, updates, drops payload  edly4000@... | 04/09/09
RE: Conficker wakes up, updates, drops payload  starzbriter2003@... | 04/09/09
Again we ask...but hear no answer...  archetuthus | 04/09/09
RE: Conficker wakes up, updates, drops payload  walterth3rd | 04/09/09
RE: Conficker wakes up, updates, drops payload  Bilmekanikeren | 04/09/09
April Fool????????  nimrod666 | 04/09/09
You seem happy  kaiserdr | 04/09/09
Glad "is finally active" was used  Enorton42@... | 04/09/09
RE: Conficker wakes up, updates, drops payload  dussell | 04/09/09
Is this TNT??? They know DRAMA!!!!  Jibbits Jr | 04/09/09
So true!  bogey9000 | 04/10/09
RE: Conficker wakes up, updates, drops payload  droiddoc | 04/14/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
Save time with automated shipping solutions
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
Visit the UPS Business Essentials Guide
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
Reduce risk. Reduce complexity. Increase reliability.
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
Learn more >>
Keep Up With The Latest In Document Management with The DocuMentor.
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
Learn more >>
Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
Learn more about the free, six-month trial offer>>
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline