Researchers: Conficker All About Money

Computer Worm Will Likely Send Spam Or Steal Data From Infected PCs

(CNET)  This story was written by CNET's Elinor Mills.

---

The Conficker worm that has infected millions of Windows-based computers will likely be used to send spam and steal data much like one of the nastiest botnets on the Internet does, researchers said on Thursday after finding links between the two worms.

A week after failing to do anything but snore, the much hyped Conficker worm was roused from its slumber on Wednesday, with infected computers transmitting updates via peer-to-peer and dropping a mystery payload onto PCs. Researchers suspect that the payload program may be a keystroke logger, a spam generator, or both.

Conficker now also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com, and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down some functionality on May 3.

In addition, Conficker reaches out to a domain that is known to be infected by a worm called Waledac and downloads an encrypted file. Researchers are analyzing that code and the program that is dropped directly onto infected machines by other infected machines to find out exactly what is in it. And they suspect that Conficker and Waledac are coming from the same people.

"I'm pretty certain the same people are behind both of them," said Paul Ferguson, an advanced threats researcher for Trend Micro. "Conficker has got their (Waledac creators') fingerprints all over it."

Computers infected with Waledac comprise what Ferguson called the "most pernicious spamming botnet on the Internet." Waledac spreads via a malicious Web link or an e-mail, typically a fake Christmas greeting or Valentine's Day message, or with a subject line related to the inauguration of President Obama. It generates spam and steals data, like passwords, from infected computers.

Ferguson said he believes Eastern Europeans are behind the Waledac worm. He suspects they created the Storm botnet to try different payloads and business models and that Waledac resulted from that. Ferguson speculates that they may be putting their lessons learned from earlier efforts into practice with Conficker.

"There is empirical evidence that these guys are a for-hire, for-profit criminal operation on the Internet and that Conficker is nothing more than part of that organization's best efforts to monetize their efforts on the Internet," Ferguson said.

Vincent Weafer, vice president of Symantec Security Response, confirmed the Waledac connection with Conficker, but wouldn't speculate on who exactly might be spreading the worms. The fact that Conficker now downloads a Waledac file "reconfirms our belief that ultimately this is a large botnet designed to make money," he said. "It's the first example of how these guys are trying to leverage this botnet for profit."

As for the May 3 expiration date in the latest Conficker code, Weafer said it appears to be trying to shut down code related to the first variant of Conficker, Conficker.A, which generated more noise on the Internet than later versions did.

Symantec researchers are calling the latest Conficker code that is circulating a new variant of the worm and have dubbed it Downadup.E, with Downadup being another name for Conficker.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.

To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.

People are being urged to be careful in their quest for Conficker removal tools. Marshale8e6 has found spam that takes advantage of the hype over the Conficker worm to scare people into installing fake antivirus software. The e-mail messages claim to be from Microsoft security departments and provide a link to a Web page that does a fake computer scan and prompts the visitor to buy antivirus software that typically does nothing but install malware on the computer.

Also, using search engines to try to find Conficker removal tools is maybe not the best idea. Trend Micro has found that Google searches using terms related to Conficker bring up results that include links to malware. They recommend going directly to the site of a trusted security vendor to get software instead of doing general searches.

Meanwhile, Conficker also has inspired a copycat worm. Neeris, an IRC bot that spreads itself by sending links through MSN Messenger, has been active for a few years, but a new variant has emerged that borrows some behavior from Conficker, such as exploiting the same hole in Windows that Conficker does and spreading via removable storage devices, Microsoft said.

[ershler]

Actually, while somewhat akin to Linux, OS X is not build on linux. OS X traces its beginnings back to BSD, and Free BSD. The system log during boot up still acknowledges this.

Apr 12 18:48:54 localhost kernel[0]: Copyright (c) 1982, 1986, 1989, 1991, 1993
Apr 12 18:48:54 localhost kernel[0]: The Regents of the University of California. All rights reserved.

The following is quoted from Wikipedia.

"Mac OS X's core is a POSIX compliant operating system (OS) built on top of the XNU kernel, with standard Unix facilities available from the command line interface. Apple released this set of software as a free and open source operating system named Darwin. On top of Darwin, Apple layered a number of components, including the Aqua interface and the Finder, to complete the GUI-based operating system which is Mac OS X."

XNU stands for X is NOT UNIX. While similar to Linux, its philosophy of integration is different.

[ershler]

"ve had a computer on and connected 24 hours a day for about 15 years and in that time I've gotten 2 virus's, both of which I got by visiting questionable sites. I think the whole alarm is more to generate anti-virus software sales than anything else. "

Talk about an ostrich with his head in the sand. I know of a major hospital that is virtually paralyzed from this damn thing.

Yes WIndows has a place in this world, but using it to the exclusion of other OS's is a real mistake. It's just like biodiversity in the real world. Nature is much healthier with many diverse species. This worm is just like the lack of biodiversity. When Windows gets sick, entire institutions get get very sick,

A properly conceived IT system should have Windows, OS X, Linux and others, even including DEC's VMS. Many people don't realize VMS is still in wide use in the Banking industry because of its incredible security.

[I_am_me1953]

ve had a computer on and connected 24 hours a day for about 15 years and in that time I've gotten 2 virus's, both of which I got by visiting questionable sites. I think the whole alarm is more to generate anti-virus software sales than anything else.

Posted by PVperson2 at 4:04 PM : Apr 10, 2009
_________________-

Possibly, but there are several very good and reliabel FREE antivirus programs out there. Go to download.com and you can get them.

I, for one, am glad that the told me about conficker, it gave me the chance to make sure all my protection programs were up-to-date.

[raymimsjr]

To alphaa10000:

Good of you to mention Linux. You only have to wonder why the world hasn't gotten tired of the virus/worm/trojan threat to M$ products, and completey abandoned the M$ operating system altogether.

How many times does one let a dog bite them before avoiding the dog? Learn a lesson, folks - M$ is never going to be secure. Move to Linux. And by the way, Mac's run a linux kernel.

I just saw this article on CBS Evening News. When stating "Conficker attacks PCs, but not Macs," CBS briefly shows a photo of an original model iMac -- a form factor discontinued from consumer production since 1993 (okay, the eMac was available to the education market for about another year...). Still, CBS is either silly or just plain dumb. Otherwise, they should show some real guts and show instead the original 1984 128k Macintosh. Just my opinion.

[PVperson2]

I've had a computer on and connected 24 hours a day for about 15 years and in that time I've gotten 2 virus's, both of which I got by visiting questionable sites. I think the whole alarm is more to generate anti-virus software sales than anything else.

[jab232]

I use a home computer. When I am not using it directly (like now), I take if off the Internet. It doesn't sit on the net for hours unattended. When I go back on, the first thing I do is update Norton and every Tuesday I check Microsoft. I also have automatic updates set for both sites. This might not be enough, but it is what you can do.

[carolhill814]

All of this really scares me but I do have a lot of protection so hopefully everything will be fine.

MAY GOD BLESS US ALL NOW AND FOR ALL TIME AS I AM SURE HE WILL!!!

[hetup-2009]

In other words more bad code on already bad code, thanks Bill Gates

[brianbwb-2009]

"Researchers suspect that the payload program may be a keystroke logger, a spam generator, or both. "

Maybe the researchers read my post from yesterday, re-posted below. I still say they should pay me, I could have told them what it was months ago. I wrote...

"Maybe the researchers should hire me, I use Softice 32 (one of those neat little programs that was made illegal by stupid anti-"piracy" idiots, because it allows code circumvention) on a test-bed box to watch code execution, and therefore know exactly what the encrypted code does, so analyzing it is simple. I, a self-taught programmer (assembler, and C++) trapped the downadup rootkit months ago, which, by the way plants keyloggers, opens ports, and logs the infected box into a "bot-net" awaiting data to spread. It also installs itself in the Restore folder, so if you wipe it, it re-installs itself on the next boot. It then allows back door monitoring of passwords and other private info by anyone who chooses to look, and knows the port numbers (or for that matter, owns a port sniffer)."'

I was writing a piece to kill it when M$ put their malicious software removal kit out, which saved me time and trouble. "