Welcome | Sign In
LinuxInsider.com
Security

Conficker Twitch Leaves Security Sleuths With More Mysteries to Solve

Print Version
E-Mail Article
Reprints
Conficker Twitch Leaves Security Sleuths With More Mysteries to Solve

By Richard Adhikari
TechNewsWorld
Part of the ECT News Network
04/09/09 12:09 PM PT

Computer security researchers watched anxiously on April 1 as the Conficker worm, which has stricken millions of PCs worldwide, woke up and began listening for orders. However, no large disruptions were reported at the time. Now, though, researchers say Conficker is on the move again, and its new variant has left them with more questions than answers.


Crystal Reports - Discover the Latest Innovations.
Download a free trial, view real-time 'behind the scenes' functionality, and learn about new Crystal Reports Server trade in options! Learn more.

On Tuesday, computers infected by the Conficker worm woke up and downloaded a new variant.

Named "Worm.Downad.E" by Trend Micro, "Conficker.AQ" by antivirus vendor Eset and "Trojan-Dropper.Win32.Kido.o" by antivirus vendor Kaspersky Lab, this new variant has left many security threat researchers bewildered.

One conundrum: They don't know why it has a kill switch that apparently kicks in on May 3.

Also, the new variant has a mysterious dropped component. It will eventually delete that component, and researchers are still trying to figure out why.

Puzzles, Anyone?

The new variant is not a single program but actually several related components, David Haley, director of malware intelligence at Eset, told TechNewsWorld. It is a subvariant of Conficker.A, the very first version of Conficker, which came out late in 2008, he said.

Security experts are still scrambling to unravel Conficker.AQ's code, but they have come up with tidbits that raise more questions than they answer. Take the kill switch, for example. "We're still trying to determine why Conficker will turn itself off on May 3," Ivan Macalintal, a member of the Conficker Working Group, which was set up to fight the worm, told TechNewsWorld.

When the new variant is executed, it will drop a temporary file in the system folder. This poses yet another mystery. "We know it touches the TCP (transmission control protocol) and IP.sys files in memory, and that's all," Macalintal said. "We're still working on analyzing it."

Code analysis shows the temporary file will delete itself after serving its purpose, but nobody knows why, Macalintal said.

Some Gory Details

Conficker.AQ will copy itself to various locations and load and inject a library into the explorer.exe, services.exe and svchost.exe files, according to Eset. It will also register itself as a system service with a name that includes one of the following: App, Audio, DM, ER or Event.

Conficker.AQ will also delete some registry entries and terminate processes with any of these strings in the name: autoruns, avenger, bd_rem, cfremo and confick.

It disables the following service strings: Windows Security Center Service (wscsvc); Windows Automatic Update Service (wuauserv); Background Intelligent Transfer Service (BITS); Windows Defender Service (WinDefend); and Windows Error Reporting Service (ERSvc and WerSvc).

Teaming Up With Waledac?

After infected PCs downloaded Conficker.AQ, they attempted to access goodnewsdigital.com, a domain known to host the Win32/Waledac worm, and download print.exe, a new Waledac binary, Trend Micro (Nasdaq: TMIC) said.

Waledac generates spam for outfits hawking fake high-end watches and for a well-known spam ring, Macalintal said. Waledac was also behind an e-card spam burst sent out on Valentine's Day.

Thoughts of a tie-in between the two generates shivers down security researchers' spines. "If there's anything in that Conficker-Waledac connection, it could be a really big thing," Macalintal said. "The Conficker Working Group is looking into this, as are we." Macalintal is also a threat research manager at Trend Micro.

Just Checkin' In

Conficker C, which was the last variant before Conficker.AQ, performs a few date and time checks, according to the CA Security Advisor Research Blog.

One time check occurs between 7:00 a.m. and 11:00 a.m., local system time. This is when people typically arrive at work and turn on their computers. The last date check happened on April 1, at which time the system was set to generate 50,000 domains from which to get instructions.

Conficker.AQ will continue the date and time checks by accessing servers at sites like MySpace.com, MSN.com, AOL.com, eBay.com and CNN.com. This does not indicate a sinister plan to corrupt those sites, nor does it imply any collusion between those sites and Conficker's designers. "According to the code, it's just to check for the date and time on various servers," Macalintal said.

Laziness Kills

Here's the painful truth: Conficker would not be anywhere near as effective as it is in growing if PC users had only kept up with their updates and patches. It leverages a vulnerability mentioned in Microsoft (Nasdaq: MSFT) Security Bulletin MS08-067, which was published last October.

At the time, Microsoft warned that this vulnerability could allow remote code execution on various systems running the Windows operating system. "An attacker could exploit this vulnerability without authentication to run arbitrary code," the bulletin said. "It is possible that this vulnerability could be used in the crafting of a wormable exploit."

That frustrates researchers.

"If it wasn't for such truly bad security practices on such a massive scale, Conficker wouldn't be a problem anyway," Randy Abrams, ESETs director of technical education, told TechNewsWorld.

Print Version E-Mail Article Reprints More by Richard Adhikari

Talkback: Be the first to comment on this story.

More by Richard Adhikari

Steve Jobs Conquers the Decade - Now What?
November 07, 2009
Apple CEO Steve Jobs has been named the chief executive of the decade by Fortune, and it's hard to call that a bad pick, considering the turnaround Apple has undergone since Jobs returned to the helm in the mid-'90s. What's next on the list for a tech leader who's already changed the way we use computers, how we listen to music, and how we use our cellphones? 		Verizon Launches a Droid of a Different Color
November 06, 2009
Motorola's new handset wasn't the only Droid that Verizon brought to market Friday. HTC's Droid Eris also made its debut. The phone closely resembles the HTC Hero, a handset Sprint started selling last month. The similarity in names for the two Verizon phones is no accident -- Verizon says the name "Droid" will be used as a brand within the carrier's lineup. 		There's Something About Droid
November 05, 2009
For Verizon, the Droid is an answer to AT&T. For Motorola, it's a path to relevance in the smartphone world. For the Android platform, it's the debut of a brand-new version of the operating system. And for some smartphone shoppers, it could be a tough choice between a Droid and an iPhone.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside LinuxInsider
LinuxInsider
E-Commerce Times
TechNewsWorld
MacNewsWorld
CRM Buyer
Today's LinuxInsider Sponsors
Avaya Aura™
Save up to 40% on calling costs with Avaya Aura™
Entrust Extended Validation SSL
Entrust EV SSL certificates -- "go green" for less. Now from only $199 per year.
Trend Micro Smart Protection Network(TM)
Lower your content security management costs by up to 40%.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.