Priveon Labs Security Blog

The internet as we know it did not end on April 1st as some media outlets would have lead us to believe. What did happen was that a very well-written worm called conficker started scanning a pool of 50,000 randomly generated domain names for instructions. As of last night, it looks like the worm is on the move again. Two things happened between last night and this morning:

1) The conficker consortium and the creator of a simple Conficker infection test page are under a DDoS attack

2) P2P traffic among exiting Conficker peers seems to be increasing. At least one heavily encrypted file has been downloaded and removed on Conficker infected peers.

More notes about the downloaded file:

• Some sources, including trend, are reporting the file as a new variant (Trend: WORM_DOWNAD.E) that was downloaded over the Conficker P2P network. Other vendors think the downloaded file is a keystroke logging component of the existing worm. Analysis seems to be difficult because a) The component quickly removes all traces of itself and b) it is encrypted.
• Trend is reporting a possible Waledac connection as conficker accessed a known waldec domain and binary. This could be a connection between the two or could be as simple as a compromised site used to host multiple types of malware.

Whatever the future of the Conficker worm, you can assure that it will involve malicious activity for profit potentially including DDoS for hire, spam, and theft.

On the web:

Conficker Working Group (down as of the date of this post)
http://www.confickerworkinggroup.org/

Joe Stewart's Conficker Eye Chart (also down as of the date of this post)
http://www.joestewart.org/cfeyechart.html

TrendMicro Conficker.E
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EE&VSect=P