backtop


Print

Infamous botnet evolves

Controllers of the infamous Conficker worm released another update recently, shifting its update strategy towards a completely different direction. It no longer needs to check a web page to receive updates, as it can now receive them directly from other infected computers.

Additions to a lengthy, in-depth analysis of the worm by research institute SRI’s Malware Threat Center indicate that a new variant of Conficker was spotted on February 16, which it dubbed “Conficker B++” pending a further review of its capabilities.

Previously, computers infected with Conficker A and B – also known under the names Downadup or Kido – frequently check for updates from a randomly-generated list of 250 internet domains, which is synchronized and updated regularly between the entire Conficker botnet. Efforts from the Microsoft-led Conficker Cabal appear to have foiled this technique: the randomization algorithm was successfully reverse-engineered, prompting Microsoft and the Cabal to secure every domain the group expects the botnet to hit.

In response, Conficker B++ completely removes the need to check for updates, moving instead towards a structure that resembles a peer-to-peer filesharing network. A URL pointing to updated Conficker code – or a patched version of the Conficker binary – can be sent directly to infected machines through a pair of new backdoors that B++ opens.

SRI notes that while older versions of Conficker also had the ability to accept updates in this fashion, its implementation behaved in such a way that made recognizing the process a trivial affair for anti-malware software.

Conficker’s controllers, in an effort to prevent competing hackers from delivering patches of their own, digitally sign the entire update process.

Compared to the upgrade from Conficker A to Conficker B, writes SRI, the changes that Conficker B++ introduces appear to be a relatively “minor”. In-house metrics indicate that Conficker B++ had an “86.4% similarity” to Conficker B, with the update only modifying three of the original version’s 297 subroutines and adding an additional 39.

Conficker has become such a problem for businesses that Microsoft recently placed a $250,000 bounty on its creators, offering a share of the reward to anyone who can help track them down. In January, the worm spread so fast it infected 8 million business computers within a week.





“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads
Related Articles







Latest Blog Posts
In The News
Saimin Nidarson - Dec 7, 2016, 5:00 AM
Apple Car is Not Dead
Saimin Nidarson - Dec 5, 2016, 1:00 AM
More News
Saimin Nidarson - Dec 4, 2016, 5:00 AM
More News
Saimin Nidarson - Dec 3, 2016, 5:00 AM
Top News
Saimin Nidarson - Dec 2, 2016, 5:00 AM
Top Stories
Saimin Nidarson - Nov 28, 2016, 1:12 AM
News: Fidel Castro
Saimin Nidarson - Nov 27, 2016, 5:00 AM
Top News
Saimin Nidarson - Nov 26, 2016, 5:00 AM
Top Stories
Saimin Nidarson - Nov 22, 2016, 2:26 AM
Headline News:
Saimin Nidarson - Nov 21, 2016, 1:00 AM






botimage
Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki