Confiker Worm Evolves Into Conficker B++

Conficker.B evolves into Confiker.C

The Conficker worm, which is believed to have already infected several million computers, has already evolved into a new and much more effective variant.

Conficker.B evolves into Confiker.C

Conficker.B evolves into Confiker.C

The upgraded version of the worm, also known as Downadup, has been named Conficker B++.

The author(s) have upgraded it in order to get around attempts to shut it down.

The original Confiker worm sourced updates from a collection of 200+ URLs which were generated randomly.

The good guys, however, managed to block the worm from updating by reverse engineering the process that generated the random URLs and then locking it down.

In response, Conficker B++ employs a new set of back doors in order to update itself.

According to an advisory from Microsoft –

We have discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it.

Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload.

The payload only executes if it is successfully validated by the malware. However, there does not appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant.

The Confiker worm is still extremely prevalent, despite the fact that Microsoft have offered a bounty of $250,000 for information on the author’s identity.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Comments

  1. Come on the Eko… why is it being covered up do you think???

  2. Conficker breaks down to two words, “conflict” and “ficker.” Ficker in German means F*$%. This sounds like a terrible beast, but how come we haven’t heard it in mainstream chatter until a few weeks ago? Here’s the reason, Microsoft is offering $250,000 for the person who finds the inventors of the Conficker virus. I’ve looked into this “virus” and have carefully examined the code of this thing in the lab. As it turns out, I now know why people have been covering it up, and why Microsoft is offering a reward for the people who stop it.

Trackbacks

  1. […] another new variant of theĀ  Confiker, or Downadup, worm is on it’s […]

Speak Your Mind

*