Conficker E Variant Linked To Fake Antivirus Scams
Security researchers say that the latest Conficker variant, Conficker E, is suspected of communicating with a known Waledac domain behind a growing wave of fake antivirus software, also known as scareware, which bullies users into paying for software that claims to protect them from the worm. The Waledac botnet is a malicious variation of the renowned Storm botnet, designed to send spam and launch information-stealing Trojans on victims' computers.
Consequently, pop-up ads, originating from a site in the Ukraine, will target the millions of Windows systems infected by Conficker with threats of malware attacks before prompting them to pay for fake antivirus software. However, the antivirus downloads are either ineffective or designed to steal information from users' PCs.
Meanwhile, the new Conficker E is gaining traction after its April 8 update, security experts say. The latest variant of the worm is differentiated by its ability to propagate and infect users over peer-to-peer file-sharing networks, and not through its 50,000 newly generated domains, experts say. Conficker's update also increases the number of security Web sites it blocks and disables even more security tools.
Researchers at Trend Micro reported that the Conficker botnet is also contacting major traffic sites that include MySpace, MSN, eBay, CNN and AOL for Internet connectivity. The worm keeps current by contacting its 50,000 newly generated domains for the date and time.
As of April 1, the Conficker worm was set to undergo a massive update that provided a new domain generation algorithm, allowing infected computers to contact a much longer list of nearly 50,000 newly generated domains to receive new instructions. The update didn't occur until April 8.
"We weren't expecting anything to happen April 1. It would have been silly for them to do something while everyone was watching," said Richard Wang, Sophos Labs manager. "On April 7, the Conficker network was ready to be used but no one was using it for anything malicious. They were just building the network and waiting for it to be put into action."
Conficker first came into the public eye in October 2008, after attackers exploited a Microsoft vulnerability in the way the Server Service handles RPC requests. Since then, the earliest versions of the worm, Conficker A and B, propagated at unprecedented rates, infecting millions of PCs with techniques that ranged from brute force password guessing to transmission via USB sticks and peer-to-peer file sharing sites.
The publicity surrounding Conficker's April 1 update deadline resulted in the development of Conficker-specific scanning software, while spurring users to take action and remove the worm from their systems. But Wang said that the Conficker E variant has introduced some new spreading mechanisms that will help it to regain its power.
"It looks like at the moment they are taking some steps toward a malicious payload," he said. "They're looking to rebuild the size of the network."
Wang said that the same best security practices apply for Conficker as other malware, recommending that users keep up-to-date antivirus and antispyware installed on their machines, use strong passwords and regularly update operating system and other application patches.
"Take good security precautions like those and you'll be pretty much protected against the majority of threats out there," Wang said.