Hackers update Conficker worm, evade countermeasures

Computers infected with the Conficker worm are being updated with a new variant that sidesteps an industry effort to sever the link between the worm and its hacker controllers, researchers at Symantec Corp. said Friday.

The new version, dubbed Conficker.c, represents the first set of “orders” that researchers have witnessed being sent to infected systems, said Vincent Weafer, vice president of Symantec Corp.’s security response group. The update shows that the hackers want to defend their collection of compromised PCs, Weafer argued.

Conficker, which is also known as “Downadup,” gained notoriety earlier this year when it spread to millions of machines by exploiting a Microsoft vulnerability that the company patched with an emergency update in October 2008. Last month, about 20 technology companies and organizations, including Microsoft, Symantec, VeriSign Inc. and ICANN, the nonprofit group that manages the Internet Domain Name System, joined forces to preemptively register the Internet addresses Conficker’s controllers use to maintain their hold on infected machines.

More at IDG News Service

Conficker worm spawns evil twin

Conficker.c is designed to thwart that work, Weafer acknowledged. While earlier versions of the worm generate a list of 250 possible domains each day that can be used to route instructions from hackers, the new edition cranks out a list of 50,000 URLs.

“Conficker.c makes it even more difficult for us,” Weafer said, referring to the work of the so-called “Conficker cabal” in registering the worm’s routing domains. “The sheer volume that would have to be registered would be very challenging,” he said, adding that it would “probably not be feasible” to even attempt to register 50,000 domains daily.

The update also beefs up Conficker’s defenses against eradication. “It’s turning off a variety of security services,” Weafer said, as well as tools often used by security companies to dig into malware. On the bright side, Weafer said that the number of PCs infected with Conficker has peaked, with estimates now in the hundreds of thousands rather than millions. “The number of infected machines is constantly dropping, so we’re dealing with a much smaller pool that are potentially getting this update,” Weafer said.

And although the cabal’s work preemptively registering domains may be coming to a close, Weafer said it was the right move at the time. “The consortium was one mitigation among [others], but before the availability of removal tools, we thought it was the strongest solution,” he said. “Now, it will probably become a lesser part.”

Other actions that have been taken to stifle Conficker include a $250,000 reward Microsoft has offered for information that leads to the arrest and conviction of the worm’s makers.

Users can protect themselves from the worm by installing Microsoft’s MS08-067 security update, using strong passwords and disabling Windows’ Autoplay and Autorun features.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now