Conficker's first scam

Just when you thought it was a dud, security experts reported last week that Conficker has morphed once more and carried out its first scam.

Using one of the oldest tricks in the book, called scareware, the new Conficker C downloads a fake antivirus program called Spyware Protect 2009 (pictured). F-Secure says it's called Spyware Guard 2008. The fake program then delivers a pop-up message telling you that your computer is infected, but for only $49.95 the fake antivirus program can remove the malware.

You are then directed to a bogus Web site where you unwittingly enter your credit card information and then the criminals are laughing all the way to the bank -- your bank, that is. The scareware scam seems to be coming from a server in the Ukraine, according to the Washington Post.

Apparently the new Conficker has more tricks up its sleeve that researchers have yet to uncover. While security teams try to uncover all of Conficker's latest tricks and tweaks, they do know that Conficker is awake and the worm's authors are beginning to use Conficker-infected machines to make money. Just how far this will go is unknown at the moment.

As security researchers begin to unravel the mysteries surrounding the latest version of Conficker, you can protect yourself from the worm by first testing your system for infection and then by making sure you have the latest Microsoft Security patches and that your antivirus program is up to date. The Conficker Working Group has a simple test to see if you're infected with Conficker.

More than tens of millions of computers around the world are believed to have been infected by Conficker.c, the third version of the worm that first appeared late last year. The precise purpose of the malware's authors, however, remains a mystery.

Conficker had produced other variants in the past.

Antivirus software developer, Symantec Corp. observed last Wednesday that Conficker, also known as the W32.Downadup worm, has updated its functionality with a new list of URLs (uniform resource locator) used to obtain the Internet Protocol (IP) addresses of infected hosts and a new list of high profile domains.

"We noticed some activity. The virus was making a new version of itself," said Kevin Haley, director for Symantec Security Response.

The Symantec update said the new variant reintroduces the use of the MS08-067 exploit which was removed in a previous version of the worm. The current variant has a self-removal functionality which orders the worm to remove itself from the host machine on May 3, 2009.

"The self-kill switch is significant. It enables the worm to remove all traces of itself from the infected machine perhaps after Conficker has done its damage," Haley said.

Researchers also "observed a possible connection" to W32. Waledac. which is one of the most active spam bots around. W32. Waledac. steals sensitive information, turns computers into spam zombies and establishes a back door remote access on infected systems.

The researchers said the "have some circumstantial evidence that the two may be linked with Downadup.C distributing W32.Waledac."

Meanwhile, researchers with Websence Inc. and Trend Micro report that Conficker has recently received a binary file over peer-to-peer (P2P) network indicating that the worm's controllers are having trouble directing Conficker via Websites.

The binary instructions are ordering Conficker to start scanning for other computers that haven't patched the Microsoft vulnerability, according to Rik Ferguson, senior security advisor for software vendor Trend Micro.

The link with Waledec is especially alarming, said Ferguson.

The Waledec botnet grew in a fashion that was similar to the Storm worm, another large botnet that has now faded but was used to send spam. It means that perhaps the same group could be linked to all three botnets.

The update is also instructing Conficker to contact MySpace.com, MSN.com, Ebay.com, CNN.com and AOL.com to confirm that the infected machine is connected to the Internet, said Ferguson.

"It certainly indicates that Conficker authors are seeking to control more machines," according to the Trend Micro security expert.

Entries at Malware Blogs of Trend Micro's TrendLabs say researchers noticed a "huge encrypted TCP response" from a known Conficker P2P IP node which was "hosted somewhere in Korea."

The latest development follows a report from Symantec indicating that various spammers are riding on Conficker's coattails.                                                                                   

"We have found numerous spam samples attempting to capitalize on the frenzy over Conficker," said Dermot Harnett, principal analyst of anti-spam engineering for Symantec.

The spammers are offering anti-virus software that purports to protect users against Conficker. Some of the products are even packaged to look lke Symantec's own Norton AntiVirus 2009, Harnett said.

When users click on the bogus link, they are brought to a Website where users are immediately given directions to make a payment.

According to Symantec's monthly spam report aprt from the Conficker scare spammers are also using the following tactics:

• Exploting the countdown to the Tax deadline by offering bogus online tax software;

• Riding on the U.S. mortgage meltdown and credit crunch by flooding the Web with "make money quick" business offers and producing spam linked to terms such as foreclosure, interest rates, mortgage and loan

• Using current events and geolocation. Spammers are sending video clips and bogus news alert or safety warnings that are specific to the location of the intended victims. The video even comes with the logo of well known news agencies. When victims click to download the video they also unknowingly download malware.

Even though Conficker doesn't appear to have been used yet for malicious purposes, it still remains a threat, said Carl Leonard, a threat research manager for Websense in Europe. The P2P functionality indicates a level of sophistication, he said.

"It is evident they've put a lot of effort into gathering this suite of machines," Leonard said. "They want to protect their environment and launch these updates in a way they can best capitalize on them."

Not all computers infected with Conficker will necessarily get updated quickly. To use the P2P update functionality, a Conficker-infected PC must search for other infected PCs, a process that isn't immediate, Ferguson.

Given that security experts differ vastly over how many computers may be infected with Conficker, it's difficult to say what percentage has the new update.

Symantec, Trend Micro and Websense both cautioned their findings are preliminary, as the binary update is still being analyzed.

Related Content

Conficker's stealthy update
Wily worm reprogrammed to contact MySpace.com, MSN.com, Ebay.com, CNN.com and AOL.com to infect more machines

Conficker passes quietly, but threat isn't over
The activation of the Conficker.c worm at midnight on April 1 passed without incident, but security researchers said users aren't out of the woods yet. The people behind Conficker may simply be biding their time

Hackers update Conficker worm, evade countermeasures
A security software vendor says it has found evidence the perpetrators of the Conficker worm are trying to stymie attempts to register the addresses of the worm’s controllers. Find out how the industry is trying to kill Conficker