NEWS FROM THE LAB - Thursday, April 9, 2009

New Conficker action Posted by Patrik @ 19:08 GMT

A new variant of Conficker was found yesterday. We're still investigating the files but here's what we know so far.

  • On April 8th a new update was made available to Conficker.C infected machines via the P2P network
  • The new file, which we call Conficker.E, was executed and co-existed alongside the old infection.
  • It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
  • The new variant does not have the domain generation algorithm like the previous variants have
  • There's a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
  • There's also a connection to rogue anti-virus products as we've seen it end up on Conficker.C infected machines. The rogue product was SpywareProtect2009.
  • Conficker.E deletes itself if the date is May 3, 2009 or later. It does not delete Conficker.C though so that will remain on an infected computer.
Sound complicated and strange? It is and unfortunately nothing is easy when it comes to Conficker so we'll continue to update this post as we find out more about its behavior. We detect the new Conficker.E since yesterday and all the related files it downloads.