Conficker worm updated to send spam, hawk fake AV

Share this article:
The insidious Conficker worm, which has spent months spreading to millions of computers worldwide, has begun taking some of the malicious action security experts feared was coming.

Researchers said the new variant sprung to life Tuesday night and Wednesday morning -- and now is being used for two purposes: to download fake anti-virus programs, known as "scareware," to infected machines, and to receive encrypted binaries from the Waledac spam botnet.

"The wait is over," said Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab. "Now we have to see if this is going to be it or if they're going to install more malware."

Computer users anxiously waited to see if Conficker would act on April 1, when it was supposed to activate to retrieve additional payload instructions from hundreds of randomly generated domains. The malware, though, stayed mostly silent that day.

Schouwenber told SCMagazineUS.com that Conficker's authors have spent the last several months seeding the worm on up to 12 million machines across the globe. Now, with the new variant, dubbed Conficker.E, they appear to be trying to make money.

He said the worm now is pushing at least one rogue anti-virus program known as Spyware Protect 2009, which falsely warns people that their machines are infected with malware and attempts to dupe them into purchasing the bogus product for $49.95.

Researchers said it is no surprise Conficker has taken this route. Just this week, Microsoft reported that scareware programs are the No. 1 threat facing internet users.

Conficker-infected machines also have begun attempting to contact Waledac domains to install binaries belonging to the notorious spam bot, said Paul Ferguson, advanced threats researcher at Trend Micro.

He told SCMagazineUS.com that this likely means Conficker is receiving a spamming capability, which is what Waledac-infected nodes predominantly are used for, in addition to data theft. Plus, this may confirm a link between the authors of the two threats. Waledac is believed to be connected to the cybercrime organization formerly known as the Russian Business Network, Ferguson said.

But Lawrence Baldwin, founder of security consultancy myNetWatchman, said the two actually may not be related. It is possible that Conficker's authors merely are selling their botnet to others for use as a malware distribution point.

"Sometimes the intent is to be able to sell loads," Baldwin told SCMagazineUS.com. "That's the miscreant term for installing your desired piece of malware."

Whatever the intent, Conficker began receiving its updates via peer-to-peer communication, meaning drone computers now are receiving payload instructions from other infected nodes and do not need to contact domains hosted by the author, said David Perry, Trend Micro's global director of education.

"The jury is still out on what the final motive is for these guys," Ferguson said. "These guys are all about profit. They're trying to figure out a way to monetize their efforts."


Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.