Conficker Worm May Have Finally Turned

According to Trend Micro security researchers, computers already infected with Conficker are receiving a new payload via peer-to-peer communication.

Roughly a week after Conficker’s much-anticipated 1 April “big day,” Trend Micro is reporting the presence of a new payload spreading via peer-to-peer between infected computers.

Trend Micro is detecting the payload as WORM DOWNAD.E.

“Basically the component it’s downloading via peer-to-peer is just a dropper—so it drops yet another component, which we are in the process of finalizing analysis on now,” Trend Micro Advanced Threats Researcher Paul Ferguson said in a conversation with eWEEK. “It looks like it has some rootkit capabilities, but beyond that right now I can’t go into any additional detail [because] I don’t have complete information in front of me.”

Interestingly, the component contains an “untrigger date”—3 May—when it will stop running, and connects to the following sites: MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com.

“Some will randomly pick MySpace, some will randomly pick AOL, and it’s just to check to make sure it’s got Internet connectivity and see what the date and the time is to verify that … so you can’t just set your PC to 4 May and be protected before it drops the second component,” Ferguson explained.

There is some evidence that the latest Conficker update is tied to the Waledac malware family. The minds behind Waledac have built a sizable botnet that has been linked to a number of spam campaigns since late 2008.

“This new Downad/Conficker variant is talking to servers which are known already for being associated with the Waledac family of malware, in order to download further malicious components,” blogged Rik Ferguson, solutions architect at Trend Micro. “These components have so far been missing, but could this finally be the ‘other boot dropping’ that we have all been waiting for?”

Researchers at Trend Micro first noticed the component the night of 7 April when they identified a new file in a Windows Temp folder they were monitoring. They also detected a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

The new component does not constitute a new threat to users who are not already infected with the worm. On 1 April, computers infected with the variant known as Conficker.C began contacting a subset of 500 domains of a list 50,000 Conficker generates daily. Though many were expecting a major update to be delivered that day, many security pros cautioned otherwise.

“There are just so many eyeballs on this right now, they’re trying to blend in with the noise,” Paul Ferguson said. “Even with the component … there was no real, significant increase in the amount of peer-to-peer traffic. The movement to get these new components on infected nodes is going to be very slow and staggered and low-key.”