Conficker worm variant kills security processes

Share this article:

Computer systems that are already infected by the Conficker worm are being pushed a new component that kills protective security processes. In addition, the worm's authors have moved from a 250-a-day domain-generation algorithm to a new one that generates 50,000 domain names every day.

The new version of the worm, also known as Downadup, is being called W32.Downadup.C, and is considered a response to the successful cracking of the W32.Downadup.B worm, according to a post by Peter Coogan on the Symantec Security Response blog.

There is no indication that the new component is designed to spread the worm's infection, just to make it difficult for researchers to counteract on the 10 million machines already infected. Coogan wrote that the worm “does not seem to be using any existing or new means to spread the threat to new machines.”

“These early findings may suggest that the Downadup authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines,” Coogan wrote. “Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation.”

The list of security processes that the component attacks include some popular security tools, including wireshark, procmon, tcpview, and regmon. Any processes found on an infected machine that contain such antivirus or security analysis tool strings are killed, according to Symantec.


 

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.