Print 16 comment(s) - last by mindless1.. on Feb 24 at 5:57 PM

Infamous botnet evolves

Controllers of the infamous Conficker worm released another update recently, shifting its update strategy towards a completely different direction. It no longer needs to check a web page to receive updates, as it can now receive them directly from other infected computers.

Additions to a lengthy, in-depth analysis of the worm by research institute SRI’s Malware Threat Center indicate that a new variant of Conficker was spotted on February 16, which it dubbed “Conficker B++” pending a further review of its capabilities.

Previously, computers infected with Conficker A and B – also known under the names Downadup or Kido – frequently check for updates from a randomly-generated list of 250 internet domains, which is synchronized and updated regularly between the entire Conficker botnet. Efforts from the Microsoft-led Conficker Cabal appear to have foiled this technique: the randomization algorithm was successfully reverse-engineered, prompting Microsoft and the Cabal to secure every domain the group expects the botnet to hit.

In response, Conficker B++ completely removes the need to check for updates, moving instead towards a structure that resembles a peer-to-peer filesharing network. A URL pointing to updated Conficker code – or a patched version of the Conficker binary – can be sent directly to infected machines through a pair of new backdoors that B++ opens.

SRI notes that while older versions of Conficker also had the ability to accept updates in this fashion, its implementation behaved in such a way that made recognizing the process a trivial affair for anti-malware software.

Conficker’s controllers, in an effort to prevent competing hackers from delivering patches of their own, digitally sign the entire update process.

Compared to the upgrade from Conficker A to Conficker B, writes SRI, the changes that Conficker B++ introduces appear to be a relatively “minor”. In-house metrics indicate that Conficker B++ had an “86.4% similarity” to Conficker B, with the update only modifying three of the original version’s 297 subroutines and adding an additional 39.

Conficker has become such a problem for businesses that Microsoft recently placed a $250,000 bounty on its creators, offering a share of the reward to anyone who can help track them down. In January, the worm spread so fast it infected 8 million business computers within a week.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Digitally signing viruses
By joey2264 on 2/23/2009 7:31:24 PM , Rating: 2
Never thought I would see the day that a virus uses signing technology to protect the "integrity" of its "software". It seems like the malware authors will always be a step ahead of white hats.

RE: Digitally signing viruses
By InternetGeek on 2/23/2009 10:44:42 PM , Rating: 2
From the outside it's easy to say that it's because Windows' security model is not quite that strong. However, even though I'm a developer, security of this kind is beyond my knowledge. Most of us secure our programs with the usual stuff: Signing code, SSL certs, user authentication modules and follow best practices and common sense.

Not sure if there's much you could do under a different model though. But it sounds to me not much beyond mitigating the damage something like this virus could do. I.E: From what I remember in my Unix/Linux lessons in Uni a worm is the worse you could get under those OSs. And that could still be quite dangerous.

RE: Digitally signing viruses
By nixoofta on 2/24/2009 1:31:59 AM , Rating: 2
Does anyone know if they've come out with the "Conficker Genuine Authenticator" yet,...and can auto updates be turned off? I'd much rather get my updates manually. :P

"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer
Related Articles

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki