backtop


Print 16 comment(s) - last by mindless1.. on Feb 24 at 5:57 PM

Infamous botnet evolves

Controllers of the infamous Conficker worm released another update recently, shifting its update strategy towards a completely different direction. It no longer needs to check a web page to receive updates, as it can now receive them directly from other infected computers.

Additions to a lengthy, in-depth analysis of the worm by research institute SRI’s Malware Threat Center indicate that a new variant of Conficker was spotted on February 16, which it dubbed “Conficker B++” pending a further review of its capabilities.

Previously, computers infected with Conficker A and B – also known under the names Downadup or Kido – frequently check for updates from a randomly-generated list of 250 internet domains, which is synchronized and updated regularly between the entire Conficker botnet. Efforts from the Microsoft-led Conficker Cabal appear to have foiled this technique: the randomization algorithm was successfully reverse-engineered, prompting Microsoft and the Cabal to secure every domain the group expects the botnet to hit.

In response, Conficker B++ completely removes the need to check for updates, moving instead towards a structure that resembles a peer-to-peer filesharing network. A URL pointing to updated Conficker code – or a patched version of the Conficker binary – can be sent directly to infected machines through a pair of new backdoors that B++ opens.

SRI notes that while older versions of Conficker also had the ability to accept updates in this fashion, its implementation behaved in such a way that made recognizing the process a trivial affair for anti-malware software.

Conficker’s controllers, in an effort to prevent competing hackers from delivering patches of their own, digitally sign the entire update process.

Compared to the upgrade from Conficker A to Conficker B, writes SRI, the changes that Conficker B++ introduces appear to be a relatively “minor”. In-house metrics indicate that Conficker B++ had an “86.4% similarity” to Conficker B, with the update only modifying three of the original version’s 297 subroutines and adding an additional 39.

Conficker has become such a problem for businesses that Microsoft recently placed a $250,000 bounty on its creators, offering a share of the reward to anyone who can help track them down. In January, the worm spread so fast it infected 8 million business computers within a week.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Interesting
By Jacerie on 2/24/2009 8:32:45 AM , Rating: 2
Confiker became self-aware at 2:14am...


"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki