Conficker botnet wakes up and smells the coffee

In Friday's IT Blogwatch, Richi Jennings watches Conficker/Downadup/Kido stir, raising worries about the coming son-of-Storm and floods of spam. Not to mention parents that join Facebook...

Gregg Keizer worriedly reports:

Microsoft security logo
The makers of Conficker, the worm that has infected millions of PCs, have begun to do what all botnet owners do -- make money -- security researchers said today as they started analyzing the malware's newest variant. Conficker.e, as the update has been dubbed, began downloading and installing on previously infected PCs at midnight London time.

...

It also downloads several new malicious files to the infected system that reveal how Conficker's handlers intend to profit from their collection of compromised computers ... [including] Waledac, a noted bot that has been on the upswing for several months. Waledac is perhaps best known as the successor to the infamous Storm bot of 2008.
more

Frederic Lardinois warns of fakeware:

Waledac will download a rogue antivirus application onto infected machines, as well as an email-worm that can steal data and send spam. The fake antivirus software will ask users to pay $49.95 for "Spyware Protect 2009," which, of course, is anything but an antispyware product.

...

Of course, if your Windows machine is up to date and if you have kept your antivirus software up to date then chances are very good that you are well protected against Conficker ... If you want to see if you are infected, head over to this site from the University of Bonn.
more

Ivan Macalintal discovered the new behavior:

Days after the April 1st activation date of Conficker, nothing interesting was seen so far in our Downad/Conficker monitoring system except the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.

Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder ... from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.
more

Gary Warner wonders about the state of AV products:

Sure enough, it was Plain Ole Waledac ... Currently detected by only 9 of 40 products at VirusTotal. Here's the VirusTotal Link.

...

A sad statement of the current state of anti-virus, that a KNOWN MALWARE DISTRIBUTION POINT that has been serving up viruses since mid-March for a large spam botnet is still entirely undetected by 3/4ths of the AV products!
more

John Herrman has déjà vu:

The original Conficker doomsday, April 1st, came and went without serious incident. But ... the worm's subtle update that day left us at much greater risk than before. This so-far inscrutable update could be the first manifestation of security experts' concerns.

...

With no actionable solution for shrinking the three-million-PC install base, we can expect to see plenty of these kinds of stories in the near future. Feel like patching yet?
more

But gEvil (beta) just jokes:

Downloading its payload and going live a week after April 1? Now that's the way to do an April Fools joke.
more

And finally...

Previously in IT Blogwatch:

Buffer overflow:

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon