Internet security company TrendMicro have discovered a new variant of the Conficker worm which was originally scheduled to hit computers on April Fools day although the anticipated impact didn’t materialise.
Now, more than a week later, computer researchers for TrendMicro have spotted new activity around Conficker indicating that it isn’t over yet.
This new variant called WORM_DOWNAD.E, is believed to originate in Korea and runs using a random file and service name. It works by opening port 5114 and serves as an HTTP server by broadcasting via SSDP request and attempts to connect to sites like MySpace, MSN, eBay, CNN and AOL.
The worm spreads by exploiting vulnerabilities in the operating system that Microsoft describes in security bulletin MS08-67. If an internet connection is available it will spread to external IPs but if an Internet connection is not available it will us a local IP.
The file that TrendMicro found was located in the Windows Temp folder with a file size of 119,296 bytes and was in a so called “honey pot” machine which was deliberately infected with the Conficker C in order for the researchers to monitor it.
The new file was created on April 7th 2009 at 07:41:21. It hadn’t arrived via an HTTP download but through an encrypted TCP response from a known Conficker node.
TrendMicro had been watching for any signs of Conficker activity and noticed that there were more peer to peer communications for the Conficker peer notes.
TrendMicro researchers also noticed that the Downad/Conficker box was trying to access goodnewsdigital.com a known Waledac domain and download yet another encrypted file.
“As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing” Said Ivan Macalintal, a TrendMicro researcher in the company’s security blog.
So is there a connection between Conficker and Waledac? “Possible, but we still have to dig deeper into this” Macalintal says.
Just like previous Conficker versions, this new variant deletes all traces of itself in the host computer leaving no files no registries etc.
Apparently the new variant has an inbuilt instruction to tell it to stop working on May 3rd.
People are advised to make sure their anti-virus software is up to date as no one really knows yet what the full payload will be on this one.
