April 7th, 2009
Conficker worm's copycat Neeris spreading over IM
Imitation has always been a form of flattery, and that’s particularly true for the cybercrime ecosystem. From the lone Chinese cybercriminals releasing DIY tools for generating malware actively exploiting the MS08-067 flaw, followed by the original Conficker worm, Microsoft’s MMPC (Malware Protection Center) is reporting on a currently spreading Conficker copycat detected as Worm:Win32/Neeris.gen!C.
The latest variant of Neeris which has been in the wild since 2005, is mimicking all of Conficker’s spreading techniques, including the exploitation of MS08-067 and the AutoRun spreading tactic, but is continuing to propagate through its original method - sending links over MSN. With the Neeris copycat now in the game, what are the chances that it would steal some of Conficker’s market share? Pretty pessimistic.
The Neeris author also attempted to launch the campaign beneath the radar with Microsoft’s MMPC pointing out that the peak of the campaign took place on late March 31st and during April 1st, Conficker’s largely overhyped update activation date. However, this tactic is not going to compensate for some of the obvious mistakes that the author made in the form of using bogus time stamps for the malware, and the use of easily spotted as malicious attachments (.exe;.scr) even by the average Internet user.
Copycats don’t just share the same propagation/infection vectors, they also share the same mitigation ones.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
