Life











The controllers of the Conficker worm have begun sending malicious payloads to infected PCs, and they did not even have to get infected machines to successfully check in at 500 rendezvous points, randomly selected from 50,000 web domains. Readers will recall this was the new routine activated on April 1st. So much for the big debate about the significance of the phone-home routine.

“We did not detect any downloads at the 50,000 domains,” says Sophos researcher Richard Wang. “Therefore we believe an alternate means of introducing the update was used.”

The consensus among several top researchers is that its controllers took the easiest route available: they simply seeded instructions within Conficker's customized peer-to-peer network.

Conficker's creators went through a whole lot of trouble in early March to align Conficker-infected PCs into a proprietary, cloaked P2P network. This allows them to plant instructions on any machine in this P2P network. The networked PCs then begin to pass the instructions among themselves, cleaving through most corporate intrusion detection systems. This is similar to how people share pirated music and movies via popular P2P nets such as eDonkey and BitTorrent.

Instructions recently spotted traveling across Conficker's P2P net do a couple of things. First, they reactivate the worm's sophisticated battery of self-propogating routines, which were shut down in early March. Also, the worm now takes several new steps to hide its tracks better. Finally, Conficker has begun a campaign to generate revenue. The bad guys used the P2P net to install a copy of the Waledac spamming worm, says F-Secure researcher Patrik Runald. This version of Waledac, in turn, issues fake antivirus pitches for “Spyware Protect 2009″ to display on infected machines, says Runald.

Symantec researcher Eric Chien adds; “The user will see a pop-up window appear that will seem to scan the user’s machine. Then a ‘Windows Security alert’ icon will appear, advising the user that his or her machine is infected with multiple fake threats. When the user selects to remove the threats, it will then request you purchase the software. This will redirect you to a Web site to purchase the software for $49.95.”

Kaspersky Labs has a helpful breakdown of this particular strain of fake antivirus sales pitch here.

One thing Conficker does not do, at least not yet, is steal data, as suspected by officials at the University of Utah, who just discovered 700 Conficker-infected PCs. No keystroke loggers have yet been spotted by the dozens of top virus hunters closely tracking Conficker traffic.