New Conficker variant in the wild

Robert Hallock 16 Mar, 2009 at 10:56am ET Article published in Tech

The epic tale of the nasty Conficker worm has received another chapter in the form of Conficker.C, a new variant primed for activation on April Fool’s day.

The new variant of the Conficker worm has adopted a “defensive stance” which has made it harder to detect than its two older siblings. The mighty list of leading indicators published by research firm CA tells a grim and complicated tale in this regard.

The new variant has many neat (or devious) tricks in its toolbox to foil removal and detection:

The new version can download and execute code from a random selection of 500 domains out of a 50,000 possible. Conficker.A and B could only access 32 out of 250 possible.
Conficker.C deletes all system restore points.
It disables the Windows Defender, Windows Update and Error Reporting services.
It kills access to SysInternals’ Process Explorer utility.
and a host of anti-malware applications are also prevented from running.

Industry analysts don’t believe that the war with Conficker will stop with C, either. Many believe that we may at least see a Conficker.D before the day is done.

Comments

16 Mar 2009 ~ 11:07am Thrax Nuked the old ticker to make way for this post.

Snark asked how we know it's arriving on April 1. I responded that it's already in the wild, but the code reveals an activation date of 4/1.
16 Mar 2009 ~ 11:58am Kwitko We're already patched here, our AV is fully up to date, our internet access runs through a proxy server, my ISP is blocking access to those sites, but I figured it was still a good idea to run the BitDefender cleaning tool.

If this is the future of virii and worms, I'm shit scaredless.
16 Mar 2009 ~ 12:13pm MiracleManS I'll be honest, as a case study this is an AMAZING example of a virus. The way it changes and continue to modify in such a way as to make it impossible to defend against is very neat. It just brings to the forefront what most of us have known for years. It's a competition and the good guys are losing.
16 Mar 2009 ~ 1:00pm deepsea I'd disagree on the good guys losing. As Kwitko pointed out, the patches are out, ISPs have (ok, maybe can would be better) the IPs to block, and the virus is already decoded to 4/1 activation. It's no longer "how can we stop it", it's OK, which users haven't updated their systems. How hard would it be to identify infected PCs on 4/1 and let the ISP for the users address the problem with them directly, be it locking down their access, giving access to a limited range of sites (security related and help sites?) or sending a "YOU'RE INFECTED" email.
16 Mar 2009 ~ 1:16pm Thrax The patches are out... Not Conficker.C! Those ISP block lists? They only work on A and B!

Lastly, your suggestion to let ISPs snoop on people's PCs (that's what it would take) for the presence of a virus is intensely scary.
16 Mar 2009 ~ 1:19pm MiracleManS What Rob just mentioned is my concern. It's an ongoing fight and we're losing. Keeping users up to date (not just talking about corporate clients, but general users as well) is all but impossible. It just feels like a footrace where our lane is a frictionless surface.
17 Mar 2009 ~ 7:40am deepsea You wouldn't have to snoop PCs. Just look for users that are pinging the suspect domains on 4/1.
24 Mar 2009 ~ 5:20pm BuddyJ CNN has a story on it today:
http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html

Looks like Conficker.C is srs bsns.
24 Mar 2009 ~ 5:29pm Linc Yeah, a coworker printed out an article on it to ask me about it. Looks like its gone mainstream.
24 Mar 2009 ~ 5:48pm Snarkasm This is one of those things I utterly hate to say, but the coder in me really admires Conficker.C's build and abilities. It's really a pretty scary bug - the code analysis is an eye-opening read, for those that don't know of just what it's capable.
27 Mar 2009 ~ 1:02pm Josh Taylor My advice: Buy a Mac or Linux (they are immune to windows malware). The PC is pretty much dead.

The authors of Conficker are very proud of themselves. In fact, they maybe Chinese or Russian.
27 Mar 2009 ~ 1:06pm Thrax PC dead? Er, no.
27 Mar 2009 ~ 1:07pm Snarkasm Er, what? News - Mac and Linux boxen are PCs, home slice.

Conficker authors should be proud of themselves, it's quite an impressive bit of code. Everybody switching to Mac or Linux will simply make hackers retarget their efforts to those codebases. Nice thought, though.