New Conficker Worm Variant Spotted
The cyber-sleuths over at Trend Micro have been closely monitoring a Conficker-infected system, noting that all it had been doing was "the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes." But then at 7:42:21 PDT on April 7, a new file (119,296 bytes) showed up in the system's Windows/Temp folder. The file arrived on the system via an "encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea."
|Credit: Trend Micro |
After analyzing that first file that downloaded on their system, the researchers have subsequently identified it as a new variant of the Conficker worm, which they are now calling WORM_DOWNAD.E. Some of the facts they discovered about this new variant are:
1. (Un)Trigger Date – May 3, 2009, it will stop running
2. Runs in random file name and random service name
3. Deletes this dropped component afterwards
4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
6. Connects to the following sites:
One of the ways that Conficker is known to spread is via a known vulnerability (MS08-067) in Windows 2000, Windows XP, and Windows Server 2003's Server service. "The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request." Conficker can spread through Internet connections as well as through a local network.
The exact number of infected systems is unknown, but is believed to be in the millions. Researchers also still don't know exactly what Conficker's payload is meant to do; although they suspect that its ultimate intention is to steal personal information from people's systems, such as usernames, passwords, and credit card numbers.
|Top 10 viruses, worldwide --|
cccording to Trend Micro, as of
April 9, 2009 10:58:35 AM (EDT)
It is also important to note that Conficker is by no means the only malware we need to be vigilant about. Trend Micro just identified a new worm, WORM_NEERIS.A that also takes advantage of the MS08-067 exploit. A peek at Trend Micro's Virus Map shows the top-10 most active viruses, worldwide. Just the top two viruses combined are estimated to have infected over 12-million systems. The best defense is a good offense: surf safely, be careful what you download, keep your OS and virus definition files updated, and periodically scan your systems for malware.