Conficker Virus Resurfaces

Weeks after being dismissed as a false alarm, the Conficker virus is slowly being activated. Conficker, also known as Downadup or Kido, is quietly turning thousands of personal computers into email spam servers and installing spyware. It does this by installing a second virus known as Waledac that can send out email spam without the PC owner’s knowledge. The Waledac virus recruits the PCs into a second botnet that specializes in distributing email spam.

Conficker also carries a third virus that prompts PC owners to purchase a fake anti-virus program called Spyware Protect 2009 for $49.95. When users purchase the fake security system, their credit card information is stolen and the virus downloads additional malware.

The Conficker worm began spreading late last year and has infected millions of computers, turning them into “slaves” that will respond to commands from a remote sever. Vincent Weafer, vice president with Symantec Security Response, said Conficker’s unidentified creators have begun using some of the infected machines for criminal purposes by loading malicious software. Weafer expects Conficker to a long-term, slowly changing worm.

Paul Ferguson, a senior researcher with Trend Micro Inc, described Conficker as a sophisticated botnet.  Ferguson believes Conficker's authors have likely installed a spam engine and another malicious software programs on tens of thousands of computers since April 7. Ferguson said the worm will stop distributing the software to infected PCs on May 3rd but expects other attacks to follow.

Security researchers had previously warned Conficker would strike on April 1st because the worm was programmed to increase communication attempts on that date. The threat of attack from Conficker grew widespread attention, which some experts have said may have scared off the criminals who command the slave computers.

During a panel at the RSA security conference yesterday, a security expert revealed the Conficker worm had infected several hundred machines and critical medical equipment in an undisclosed number of U.S. hospitals. According to Marcus Sachs, director of the SANS Internet Storm Center and a former White House cyber security official, Conficker in hospitals is not widespread, but it raises the awareness of what could happen if there were millions of infected computers at hospitals or other critical infrastructure locations.

At this point it’s unclear how the devices, which control things like heart monitors and MRI machines, got infected. The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet. The network was connected to another network that does have direct Internet access, however.