The evolution of the multi-faceted Conficker worm took another turn this month when the latest version, Conficker.E, erased itself on infected machines.
Several vendors noted Conficker.E – first spotted in April and probably created by the same attackers that since last fall let loose the Conficker.A through Conficker.C variants – was designed to simply self-destruct on May 3rd.
On Wednesday, that was confirmed by Patrik Runald, chief security advisor at F-Secure.
“If your computer was rebooted on May 3 or later you would no longer have Conficker.E,” he said.
“However, considering that Conficker.E was mostly downloaded through already infected Conficker.C machines, Conficker.C will remain on the PCs and any other malware that has been downloaded [with it] will remain as well.”
It is believed millions of Windows-based computers around the world are infected with Conficker.C, which tries to lure victims to fake anti-virus sites – some dub it “fraudware” – and get victims to pay US$50 or so to get rid of the infection.
“We’re starting to see some revenue generation,” said Phillip Porras, program director in the computer sciences laboratory at SRI International, in a presentation at the recent RSA Conference concerning Conficker. “We’re starting to see some business models come out of it.” Security researchers in industry and government are using various means to monitor Conficker.C behavior (which can block over 114 legitimate anti-virus sites and now works in conjunction with the botnet Waledec).
Porras said Conficker.C is involved in an elaborate process to sell fake anti-malware software. When it gets into infected machines, it can direct victims toward Web sites believed to be selling fraudware.
One of those sites appears to be registered in the Ukraine selling the SpywareProtect portfolio, associated with “Ukraine Bastion Trade Group,” for example, he said. But Conficker was not necessarily created by this group and researchers are still in the dark about who originates and controls the complex Conficker command-and-control system. Despite the efforts of the Conficker Working Group, a group which now has 300 experts from industry and government dedicated to do what they can to identify the source of Conficker and stop it, efforts so far have not been successful.
“They’ve gotten around blocks to shut it down,” said Porras, noting the complexity of the Conficker effort suggests a gang, rather than one individual, sharing expertise.
As for the self-destruction of the Conficker.E variant, researchers say there are strange aspects of it.
“Conficker.E has two parts of it,” says Joe Stewart, director of malware research at SecureWorks, describing it basically as breaking up what were earlier combined functions of scanning/spreading and getting downloads, such as through peer-to-peer rendezvous.
But Conficker.E, seen only since mid-April, never seemed to work that well — which was a surprise to researchers since the upgrade path so far for Conficker has been quite impressive technically.
“Some of the functionality in .E doesn’t work,” says Stewart. Conficker.E, he says, may be a new anti-malware attempt that simply wasn’t good enough, or it may be a deliberate “distraction” by attackers to throw a little dust in the eyes of researchers. “They may be working on a more advanced version,” says Stewart.
No one besides the Conficker attackers seems to know what will come next, but most researchers see financial gain to clearly be its use at present.