The Ashes

You probably heard of the Conficker worm, unless you were on a space trip, road trip, boat trip, any trip, or in any place without an Internet connection then we forgive you for not knowing something about it. Well, everybody was so scared of it, but so far security experts said that it’s harmless. However, this thing has changed now as Conficker is now updating through P2P between infested computers, and it drops a “mystery payload” on computers, says a Trend Micro report.

Experts from Trend Micro were analyzing a code of the software which the worm drops on infected computers which is suspected to be a keystroke logger or other software which steals important data from a computer. David Perry, global director of security education at Trend Micro, says that the software is a .sys component which Conficker hides behind a rootkit, and is “heavily encrypted” making its analysis very difficult. The rookit doesn’t make researchers’ lives easier.

The report says that Conficker is trying to connect to websites like MSN.com, eBay.com, MySpace.com, AOL.com, and CNN.com in order to see if the infected computer has an Internet connection. After this, the worm automatically deletes its traces in the host computer, and it plans to shut-down itself on May 3th.

“After May 3, it shuts down and won’t do any replications,” said Perry. But he (just like us) knows that worm-infected computers can be remotely controlled for other harmful purposes. According to Perry, Conficker created a new file in Windows’ Temp folder, and it received a heavy-encrypted TCP response from a well-known P2P IP node which is hosted in Korea.

“As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing,” says the report.

Rik Ferguson, security researcher at Trend Micro, says that the worm exchanges information with servers related to malware’s Waledac family, and with its Storm botnet. He explains that Conficker accesses one of Waledac’s domains, and downloads an extra encrypted file.

Although Conficker was almost declared harmless after it failed to activate on April 1st, Perry believes that Conficker is conceiving a masterplan. At first, the researchers thought that yesterday’s activity was a new and improved Conficker version of the worm, but then they realized that this is another part of the plan, and soon it could compromise the 3 to 12 million computers that it has infected so far.

I guess it remains to see what Conficker will do next. Hopefully, none of us will witness its power!

P.S. If you didn’t know this, the worm infects computers using a security breach in a Windows update patch from October last year. You can check if your computer is infected using this Conficker EyeChart, or the Conficker Online Infection Indicator from the University of Bonn.