After Update Last Night – Conficker Worm Turns into a Money Making Spammer

April 9, 2009

(ChattahBox)  —  Last night, the Conficker Windows worm woke out of it’s hibernation and began updating itself via Internet download, a process which became possible after it refreshed itself April 1st.  Before now, Conficker had been reportedly pinging for updates using it’s peer-to-peer communication system, but hadn’t found instructions to carry out till yesterday.  According to a post from Trend Micro advanced threats researchers, the Conficker worm downloaded a 119 Kbyte update named “Worm.Downad.E” into the “temp” folder of an infected PC. The security vendor also discovered a possible link to Waledac.A, another worm which allows remote communication and data stealing.

Paul Ferguson, an advanced threats researcher for Trend Micro said: “I’m pretty certain the same people are behind both of them, Conficker has got their (Waledac creators’) fingerprints all over it.”

Computers infected with Waledac comprise what Ferguson called the “most pernicious spamming botnet on the Internet.” Waledac spreads via a malicious Web link or an e-mail, typically a fake holiday greeting or a subject line to get you to click. So in essence after all the suspense and worries, it appears Conficker is designed to be used to mostly make money, by sending spam and stealing data.  Since this latest update Conficker is now serving victims a fake anti-virus product that offers to remove malware for $49.95.

Conficker can jump between computers without human aid, and has infected an estimated 3 to 12 million PCs and servers since last fall.  The new variant’s most unusual characteristic is that on May 3, the worm is programmed to stop running. That doesn’t mean it will delete itself, though as some speculate that the downloaded software installs an as-yet undetectable rootkit on the machine that leaves the computer open for further compromise. Meanwhile, it will open port 5114 and serve as an HTTP server, connecting to Myspace.com, msn.com, ebay.com, cnn.com, and aol.com. DownAd.e also covers its tracks, deleting its files and registry entries.


Comments

Got something to say? **Please Note** - Comments may be edited for clarity or obscenity, and all comments are published at the discretion of ChattahBox.com - Comments are the opinions of the individuals leaving them, and not of ChattahBox.com or its partners. - Please do not spam or submit comments that use copyright materials, hearsay or are based on reports where the supposed fact or quote is not a matter of public knowledge are also not permitted.