Conficker worm updated to send spam, hawk fake AV

Share this article:
The insidious Conficker worm, which has spent months spreading to millions of computers worldwide, has begun taking some of the malicious action security experts feared was coming.

Researchers said the new variant sprung to life Tuesday night and Wednesday morning -- and now is being used for two purposes: to download fake anti-virus programs, known as "scareware," to infected machines, and to receive encrypted binaries from the Waledac spam botnet.

"The wait is over," said Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab. "Now we have to see if this is going to be it or if they're going to install more malware."

Computer users anxiously waited to see if Conficker would act on April 1, when it was supposed to activate to retrieve additional payload instructions from hundreds of randomly generated domains. The malware, though, stayed mostly silent that day.

Schouwenber told SCMagazineUS.com that Conficker's authors have spent the last several months seeding the worm on up to 12 million machines across the globe. Now, with the new variant, dubbed Conficker.E, they appear to be trying to make money.

He said the worm now is pushing at least one rogue anti-virus program known as Spyware Protect 2009, which falsely warns people that their machines are infected with malware and attempts to dupe them into purchasing the bogus product for $49.95.

Researchers said it is no surprise Conficker has taken this route. Just this week, Microsoft reported that scareware programs are the No. 1 threat facing internet users.

Conficker-infected machines also have begun attempting to contact Waledac domains to install binaries belonging to the notorious spam bot, said Paul Ferguson, advanced threats researcher at Trend Micro.

He told SCMagazineUS.com that this likely means Conficker is receiving a spamming capability, which is what Waledac-infected nodes predominantly are used for, in addition to data theft. Plus, this may confirm a link between the authors of the two threats. Waledac is believed to be connected to the cybercrime organization formerly known as the Russian Business Network, Ferguson said.

But Lawrence Baldwin, founder of security consultancy myNetWatchman, said the two actually may not be related. It is possible that Conficker's authors merely are selling their botnet to others for use as a malware distribution point.

"Sometimes the intent is to be able to sell loads," Baldwin told SCMagazineUS.com. "That's the miscreant term for installing your desired piece of malware."

Whatever the intent, Conficker began receiving its updates via peer-to-peer communication, meaning drone computers now are receiving payload instructions from other infected nodes and do not need to contact domains hosted by the author, said David Perry, Trend Micro's global director of education.

"The jury is still out on what the final motive is for these guys," Ferguson said. "These guys are all about profit. They're trying to figure out a way to monetize their efforts."


Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.