Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Conficker worm updated to send spam, hawk fake AV

The insidious Conficker worm, which has spent months spreading to millions of computers worldwide, has begun taking some of the malicious action security experts feared was coming.

Researchers said the new variant sprung to life Tuesday night and Wednesday morning -- and now is being used for two purposes: to download fake anti-virus programs, known as "scareware," to infected machines, and to receive encrypted binaries from the Waledac spam botnet.

"The wait is over," said Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab. "Now we have to see if this is going to be it or if they're going to install more malware."

Computer users anxiously waited to see if Conficker would act on April 1, when it was supposed to activate to retrieve additional payload instructions from hundreds of randomly generated domains. The malware, though, stayed mostly silent that day.

Schouwenber told that Conficker's authors have spent the last several months seeding the worm on up to 12 million machines across the globe. Now, with the new variant, dubbed Conficker.E, they appear to be trying to make money.

He said the worm now is pushing at least one rogue anti-virus program known as Spyware Protect 2009, which falsely warns people that their machines are infected with malware and attempts to dupe them into purchasing the bogus product for $49.95.

Researchers said it is no surprise Conficker has taken this route. Just this week, Microsoft reported that scareware programs are the No. 1 threat facing internet users.

Conficker-infected machines also have begun attempting to contact Waledac domains to install binaries belonging to the notorious spam bot, said Paul Ferguson, advanced threats researcher at Trend Micro.

He told that this likely means Conficker is receiving a spamming capability, which is what Waledac-infected nodes predominantly are used for, in addition to data theft. Plus, this may confirm a link between the authors of the two threats. Waledac is believed to be connected to the cybercrime organization formerly known as the Russian Business Network, Ferguson said.

But Lawrence Baldwin, founder of security consultancy myNetWatchman, said the two actually may not be related. It is possible that Conficker's authors merely are selling their botnet to others for use as a malware distribution point.

"Sometimes the intent is to be able to sell loads," Baldwin told "That's the miscreant term for installing your desired piece of malware."

Whatever the intent, Conficker began receiving its updates via peer-to-peer communication, meaning drone computers now are receiving payload instructions from other infected nodes and do not need to contact domains hosted by the author, said David Perry, Trend Micro's global director of education.

"The jury is still out on what the final motive is for these guys," Ferguson said. "These guys are all about profit. They're trying to figure out a way to monetize their efforts."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.