Conficker Sells Out!

Network Jew — Fri, 10 Apr 2009 13:46:13 +0000

After lying dormant for a week, then mysteriously downloading encrypted content, Conficker is now starting to actually show its true colors. It wants to sell you something. Great.

From F-Secure:

# On April 8th a new update was made available to Conficker.C infected machines via the P2P network
# The new file, which we call Conficker.E, is executed and co-exists alongside the old infection
# It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
# There’s a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
# There’s also a connection to rogue anti-virus products as we’ve seen it end up on Conficker.C infected machines. The rogue product was Spyware Guard 2008.
# Conficker.E deletes itself if the date is May 3, 2009 or later.

Conficker Update – It’s Doing Something

Network Jew — Thu, 09 Apr 2009 16:04:31 +0000

Well, April 1st came and went without the Internet exploding. All seemed calm on the waters until today when, apparently, infected Conficker PC’s began downloading new encrypted binaries and checking to see if various websites were up.

According to Trend Micro’s summary:

Two things can be summed up from the events that transpired:

1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

Here’s a link to more information from Trend Micro

Here’s a link to the conficker “eye test” – it’ll let you know if your machine is infected or not.

http://www.talkbiz.com/confickertest/

NetworkJew » malware

Conficker Sells Out!

Conficker Update – It’s Doing Something