After skipping out on its April 1 debutante ball, the Conficker worm has returned with a smile and a new payload. The worm has begun to update infected clients with a strain researchers are calling Conficker.E, and this process has revealed some interesting insight into just what may be the worm’s origins.

In a post on Trend Micro’s Countermeasures blog, Rik Ferguson explains what’s going on:

As well as reactivating the original propogation (sic) functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?

Conficker’s original method of propagation exploits a hole that Microsoft fixed in October, and this has returned after being removed from March’s -C variant. More interestingly, the new variant is set to delete itself without a trace on May 3.

(more…)

Go – it’s worth it just for the legend. :D

Conficker is basically a gigantic pain in the ass that has exited hibernation to the annoyance of administrators everywhere. The latest variant, Conficker.C, has been viewed as a particularly genius step in an altogether brilliant case study in worm authoring. Capable of evading heuristic detection, IPS filters, blocking AV applications, preventing access to Windows Update and just generally being an asshole to a whole host of solutions, it was believed that tagging and evicting Conficker would be an arduous task.

Enter the breakthrough: Researchers have discovered a misstep in Conficker.C’s design that makes it detectable with the traditional network tool known as nmap. Originally designed as a security tool, nmap is capable of scanning and listing network devices, parameters and services. Unfortunately for Conficker’s author(s), Conficker.C happens to be just such a service that nmap can detect with this string:

nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

The discovery comes just in the nick of time, as this is the auspicious day in which the newest variant emerges from its beauty sleep to do whatever bogus things it was designed to do.

Companies like McAfee have been quick to piggyback on the discovery by releasing detection tools that sniff for the presence of the worm in a convenient GUI. As the Conficker.C worm prevents access to a whole host of security sites — including all the vendors currently offering a tool — we’ve done you a favor and attached a detection tool to our little update here.

Happy April Fools day.

Download: McAfee Conficker Test

The epic tale of the nasty Conficker worm has received another chapter in the form of Conficker.C, a new variant primed for activation on April Fool’s day.

The new variant of the Conficker worm has adopted a “defensive stance” which has made it harder to detect than its two older siblings. The mighty list of leading indicators published by research firm CA tells a grim and complicated tale in this regard.

The new variant has many neat (or devious) tricks in its toolbox to foil removal and detection:

• The new version can download and execute code from a random selection of 500 domains out of a 50,000 possible. Conficker.A and B could only access 32 out of 250 possible.
• Conficker.C deletes all system restore points.
• It disables the Windows Defender, Windows Update and Error Reporting services.
• It kills access to SysInternals’ Process Explorer utility.
• and a host of anti-malware applications are also prevented from running.

Industry analysts don’t believe that the war with Conficker will stop with C, either. Many believe that we may at least see a Conficker.D before the day is done.

Conficker is a nasty and enterprising worm that has spawned a $250k bounty for the author’s capture and at least one variant that has evaded the efforts of security firms. The race to defeat Conficker may be at an end, however, as Romanian anti-virus vendor BitDefender has announced a tool that will identify and remove any known variant of the worm.

BitDefender is the first to offer a free tool which disinfects all versions of Downadup and is available for all infected users at: http://bdtools.net This domain is the first to serve a removal tool without being blocked by the e-threat.

The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067. After successful exploitation it used to install rogue security software on the infected machine.

Microsoft has been hot to extinguish the potentially devastating worm known as Conficker. After posting a $250k bounty and assembling a cabal of security researchers, the merry band of nerds set out to block the code before it rocked the net. Unfortunately for our friendly fellowship, the new variant of Conficker can automatically retrieve and execute code without using the mechanism that researchers have been feverishly working to block.

In Conficker A and B, there appeared only one method to submit Win32 binaries to the digital signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction.

Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker’s authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

Oops.

Potentially the most crippling malware thus far conceived, the Conficker worm has infected 10 million PCs to date. Each PC polls 250 random domains each day in search of a malware payload that has yet to appear. Should a payload be released to one of the domains, the PCs will download and install the package to create the biggest bot or spam net in history. OpenDNS and Kaspersky hope to stem the tide before it forms.

The OpenDNS service is using a growing list of domains that security firm Kaspersky has developed after reverse engineering the worm. Administrators running OpenDNS on their network will be alerted to infected PCs and partially protected against infected clients connecting to one of the domains that may contain a payload.

The service will also help network admins to quickly pinpoint any infected machines by checking their OpenDNS Dashboard. Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin’s private statistics page. The service is available for free to both businesses and home users.

“The idea of blocking things on the network and doing it for consumers is a big change,” said OpenDNS CTO David Ulevitch. “Overall, we think we’re uniquely positioned to do this.”

Let’s hope that preventative maintenance can make a difference, because Conficker could have devastating consequences if activated.