Confiker Worm Evolves Into Conficker B++

by Lee on March 4, 2009

in The Conficker Worm

The Conficker worm, which is believed to have already infected several million computers, has already evolved into a new and much more effective variant.

confiker-b-worm

The upgraded version of the worm, also known as Downadup, has been named Conficker B++.

The author(s) have upgraded it in order to get around attempts to shut it down.

The original Confiker worm sourced updates from a collection of 200+ URLs which were generated randomly.

The good guys, however, managed to block the worm from updating by reverse engineering the process that generated the random URLs and then locking it down.

In response, Conficker B++ employs a new set of back doors in order to update itself.

According to an advisory from Microsoft -

We have discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it.

Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload.

The payload only executes if it is successfully validated by the malware. However, there does not appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant.

The Confiker worm is still extremely prevalent, despite the fact that Microsoft have offered a bounty of $250,000 for information on the author’s identity.

Related Posts

  • Video : Protection From The Conficker Worm
  • What Is The Conficker Cabal?
  • The Microsoft Removal Tool Beats Conficker. If You Can Get It
  • How Can Conficker Can Be Beaten With Patches, Updates And Antivirus?
  • Evenin’ All, Conficker ‘Ere
  • Can I Block Conficker By Being Proactive?
  • How Do I Remove The Conficker Virus?
  • Why Conficker Ain’t No April Fool
  • How Do I Apply the Conficker Patch?
  • How To Know If You Have The Conficker Worm
  • { 2 comments… read them below or add one }

    1 Eko Sukmo September 14, 2009 at 11:07 pm

    Conficker breaks down to two words, “conflict” and “ficker.” Ficker in German means F*$%. This sounds like a terrible beast, but how come we haven’t heard it in mainstream chatter until a few weeks ago? Here’s the reason, Microsoft is offering $250,000 for the person who finds the inventors of the Conficker virus. I’ve looked into this “virus” and have carefully examined the code of this thing in the lab. As it turns out, I now know why people have been covering it up, and why Microsoft is offering a reward for the people who stop it.

    Reply

    2 Lee September 14, 2009 at 11:09 pm

    Come on the Eko… why is it being covered up do you think???

    Reply

    Leave a Comment

    Previous post:

    Next post: