Hackers update Conficker worm, evade countermeasures
New worm variant disrupts effort to sever comm links to infected PCs
Computerworld - Computers infected with the Conficker worm are being updated with a new variant that sidesteps an industry effort to sever the link between the worm and its hacker controllers, researchers at Symantec Corp. said Friday.
The new version, dubbed Conficker.c, represents the first set of "orders" that researchers have witnessed being sent to infected systems, said Vincent Weafer, vice president of Symantec's security response group. The update shows that the hackers want to defend their collection of compromised PCs, Weafer argued.
Conficker, which is also known as "Downadup," gained notoriety earlier this year when it spread to millions of machines by exploiting a vulnerability that Microsoft Corp. patched with an emergency update in October 2008. Last month, about 20 technology companies and organizations, including Microsoft, Symantec, VeriSign and ICANN, the nonprofit group that manages the Internet Domain Name System, joined forces to preemptively register the Internet addresses that Conficker's controllers use to maintain their hold on infected machines.
Conficker.c is designed to thwart that work, Weafer acknowledged. While earlier versions of the worm generate a list of 250 possible domains each day that can be used to route instructions from hackers, the new edition cranks out a list of 50,000 URLs.
"Conficker.c makes it even more difficult for us," Weafer said, referring to the work of the so-called "Conficker cabal" in registering the worm's routing domains. "The sheer volume that would have to be registered would be very challenging," he said, adding that it would "probably not be feasible" to even attempt to register 50,000 domains daily.
The update also beefs up Conficker's defenses against eradication. "It's turning off a variety of security services," Weafer said, as well as tools often used by security companies to dig into malware.
On the bright side, Weafer said that the number of PCs infected with Conficker has peaked, with estimates now in the hundreds of thousands rather than millions. "The number of infected machines is constantly dropping, so we're dealing with a much smaller pool [of devices] that are potentially getting this update," Weafer said.
And although the cabal's work preemptively registering domains may be coming to a close, Weafer said it was the right move at the time. "The consortium was one mitigation among [others], but before the availability of removal tools, we thought it was the strongest solution," he said. "Now, it will probably become a lesser part."
Other actions that have been taken to stifle Conficker include a $250,000 reward that Microsoft has offered for information that leads to the arrest and conviction of the worm's makers.
Users can protect themselves from the worm by installing Microsoft's MS08-067 security update, using strong passwords and disabling Windows' Autoplay and Autorun features.
- FAQ: Conficker clock ticks toward April 1 deadline
- Security managers concerned but confident about Conficker on eve of expected attack
- IBM: Conficker.c infects small number in U.S.
- Security software scammers riding on Conficker's coattails
- Researchers exploit Conficker flaw to find infected PCs
- Steven J. Vaughan-Nichols: 100% cure for Conficker
- Conficker's next move a mystery to researchers
- Hackers update Conficker worm, evade countermeasures
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts