Conficker cashes in, installs spam bots and scareware

More

Conficker Worm

• IT Blogwatch: Conficker botnet wakes up and smells the coffee
• Conficker's makers lose big, expert says
• Conficker activation passes quietly, but threat isn't over
• FAQ: Just the facts on Conficker
• Security managers concerned but confident about Conficker on eve of expected attack
• IBM: Conficker.c infects small number in U.S.
• Researchers exploit Conficker flaw to find infected PCs
• Conficker's next move a mystery to researchers

More: Malware Knowledge Center

Conficker.e is installing SpywareProtect2009, said Gostev in an entry to the Kaspersky blog. "Once it's run, you see the app interface, which naturally asks if you want to remove the threats it's 'detected,' " Gostev said. "Of course, this service comes at a price -- $49.95."

Symantec's Hogan said his team was not able to confirm that Conficker also downloads scareware. "That said, not all Conficker nodes act the same," he said. "Some are not downloading at all, so it wouldn't entirely be out of the question that different nodes or sections of the botnet downloaded different things."

Conficker's rogue security software scam isn't new: The worm's first variant also tried to distribute phony antivirus software late last year, though the move was largely unsuccessful, said Hogan, citing earlier analysis by one of his researchers, Eric Chen. "But in all the buzz about Conficker.c and April 1," said Hogan, "people forgot that Conficker's makers have tried to profit in the past."

The lack of a clear business model for Conficker -- especially with Conficker.b, the early-January variant that infected at least 4 million PCs, according to Symantec's estimates -- had confounded researchers and analysts. In fact, it was one of the reasons why there was so much attention paid to the worm's new communications scheme activation date: Everyone wondered what it would do on April 1 to monetize the effort spent collecting a massive botnet.

Unlike the Conficker.c update, the newest variant restores the worm's ability to spread by exploiting the critical Windows vulnerability Microsoft patched with an emergency fix in October 2008.

"It's been pretty obvious in the last couple of weeks that the footprints of Conficker.b and Conficker.c were very different," Hogan said. While the former had infected millions of PCs, Conficker.c, which only updated still-compromised computers, was on several thousand PCs at most. "If they wanted to stay in business, they needed to reseed it," said Hogan.

"I don't want to be a scaremonger," cautioned Hogan, "but the situation now, as Conficker does go back to propagating, is actually more serious than a couple of weeks ago."

Read more about security in Computerworld's Security Knowledge Center.