Conficker / Downandup Active? Or...


« Neeris: Conficker Copycat or Conficker Inspired? | Main | Top 10 Worst PC Viruses »

04/09/2009



Conficker / Downandup Active? Or...

Kevin R. Smith
Co-Editor


Most everyone in Windows security is watching Conficker, not the least of which is Trend Micro, whose antivirus product we cover in our Trend Micro Antivirus Review.

Let's start with a look at what Trend says:

"Some interesting things (well at least in our perspective) found are:
  1. (Un)Trigger Date – May 3, 2009, it will stop running
  2. Runs in random file name and random service name
  3. Deletes this dropped component afterwards
  4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
  5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
  6. Connects to the following sites:
    • Myspace.com
    • msn.com
    • ebay.com
    • cnn.com
    • aol.com
It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc."


The question we (and everyone watching Conficker) has had is: why?

What plans do its creators have in store?

Well, it may be a ruse or just part of the picture, of course, but as we guessed earlier in covering Conficker, it looks like it might be for spamming. Here's what Paul Ferguson of Trend says,

"In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue AntiVirus (AV) malware, too."

Now there's a connection to Waledac? If true, it would sure lead us to believe Conficker might be a spam network. Imagine a network of say 10 million computers. Each of which would send just four or five spams a day. Now you're talking about 120,000,000 spams a month. 

That's an impressive number, and easy to do if they were all coming from one spamhaus (i.e. a known spammer or network friendly to spammers) but try blocking just four or five emails from 10 million different computers all in different parts of the world.

Good luck.

The Conficker story is just getting started to be sure, but for now at least we feel like we're beginning to understand it.

For instance, at the The IT Security Networks Blog (TITSSN for short), in their latest Conficker coverage they make mention that,

"..researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine."


Interesting. By the way, as for detecting the latest variants of Conficker, Trend Micro's Antivirus + AntiSpyware detects it as, WORM_DOWNAD_E.

Posted by Kevin R. Smith at 12:00:00 AM in Trend Micro

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a0133f40d81f4970b01348764918e970c

Listed below are links to weblogs that reference Conficker / Downandup Active? Or... :

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.