The Conficker Just Got Stronger
- 0 Comments
Recently a new version of the Conficker worm has been released. This worm pushes rogue anti-malware to unsuspecting computers. People are starting to notice that there might be a purpose to why this worm is scattering throughout the net.
ESET calls the new version Win32/Conficker.AQ. They claim that the new version is split into server and client components. The server component which is a Windows device driver performs the infections by exploiting the vulnerability of MS08-067 of Windows, which has been removed from the previous variant. It also creates an HTTP server on a TCP port which is random. After may 3 though, the server part removes itself from the system after the next reboot.
The client version on the other hand is a newer version of the old Conficker worm. ESET says that this new version removes the domain name distribution scheme. Which seemed clever, but seemed too vulnerable to organized resistance by authorities and the industry. This new version only communicates through peer networks. The Autorun propagation system is also suspected to be removed from it, but analysis hasn’t been completed. ESET is reported to have a removal tool for these programs.
Symantec reports that a driver patches tcpip.sys which increases the number of connections on the user’s system. They called the variant W32.Downadup.E. Symantec describes its DLL part as the C variant and the main purpose of that infection is to install the so called C variant. This isn’t what ESET claims. Symantec also disagrees that the Autorun propagation has completely been removed. They recommend that Autorun be disabled. Though, the description of the E variant mentions nothing about Autorun.
Microsoft’s description is more detailed than others. They claim that before Conficker spreads itself, it sends random garbage to itself to create confusion for the file identifiers. They say that this is easily defeated. It will establish the server through SSDP to locate an Internet gateway device. It then issues a SOAP command to start forwarding to itself.
Kaspersky’s Threatpost updates us on the business variant of Conficker. It pushes rogue anti-malware Kaspersky claims. They say that infected systems are receiving popups with warnings that offer a scam product which is SpywareProtect2009. Kaspersky has a tool to removes and disinfects this variant.
All these reports prove helpful to us, but in order to keep us safe from the Conficker we need to purchase software that combats it. I believe that these companies are benefiting from the Conficker as they are able to sell their software to more users. It is always better to be safe than sorry.
image credits to sxc.hu