The Conficker worm, which is believed to have already infected several million computers, has already evolved into a new and much more effective variant.
The upgraded version of the worm, also known as Downadup, has been named Conficker B++.
The author(s) have upgraded it in order to get around attempts to shut it down.
The original Confiker worm sourced updates from a collection of 200+ URLs which were generated randomly.
The good guys, however, managed to block the worm from updating by reverse engineering the process that generated the random URLs and then locking it down.
In response, Conficker B++ employs a new set of back doors in order to update itself.
According to an advisory from Microsoft –
We have discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it.
Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload.
The payload only executes if it is successfully validated by the malware. However, there does not appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant.
The Confiker worm is still extremely prevalent, despite the fact that Microsoft have offered a bounty of $250,000 for information on the author’s identity.