Conficker’s New Motive – Scareware
Based off all of the latest research, it appears that the latest Conficker variant (Conficker.e) shows the creator’s true intentions – greed! After some of the April 1 hype died down, the Conficker worm did finally receive the updated payload on April 7th, and reports in the wild are now showing that it is fully functioning “Scareware” trying to lure unsuspecting users into paying for fake antivirus software.
A few of the important updates to this strand of the the Conficker worm include:
- Uses new random file names and random service names
- Adds additional security Web sites it tries to block and disables even more security tools on the infected machine
- Connects to certain Internet sites randomly in an effort to determine the host’s external IP address
- Creates its own adhoc peer-to-peer network as an additional command and control and malware distribution vector
- Attempts to make connections to the well-known Waledac botnet
- The main executable shows an automatic removal date of May 3, 2009, but the payload remains so it will continue to communicate with other compromised systems via the P2P network
The most important thing to note with this new variant is that the same recommendations for combating this worm posted earlier are still relevant.
More information and technical details on all of the new capabilities of this variant can be found at these sites:
