The Conficker worm, which is believed to have already infected several million computers, has already evolved into a new and much more effective variant.
The upgraded version of the worm, also known as Downadup, has been named Conficker B++.
The author(s) have upgraded it in order to get around attempts to shut it down.
The original Confiker worm sourced updates from a collection of 200+ URLs which were generated randomly.
The good guys, however, managed to block the worm from updating by reverse engineering the process that generated the random URLs and then locking it down.
In response, Conficker B++ employs a new set of back doors in order to update itself.
According to an advisory from Microsoft -
We have discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it.
Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload.
The payload only executes if it is successfully validated by the malware. However, there does not appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant.
The Confiker worm is still extremely prevalent, despite the fact that Microsoft have offered a bounty of $250,000 for information on the author’s identity.
{ 2 comments… read them below or add one }
Conficker breaks down to two words, “conflict” and “ficker.” Ficker in German means F*$%. This sounds like a terrible beast, but how come we haven’t heard it in mainstream chatter until a few weeks ago? Here’s the reason, Microsoft is offering $250,000 for the person who finds the inventors of the Conficker virus. I’ve looked into this “virus” and have carefully examined the code of this thing in the lab. As it turns out, I now know why people have been covering it up, and why Microsoft is offering a reward for the people who stop it.
Come on the Eko… why is it being covered up do you think???