On Tuesday, computers infected by the Conficker worm woke up and downloaded a new variant.
Named “Worm.Downad.E” by Trend Micro, “Conficker.AQ” by antivirus vendor Eset and “Trojan-Dropper.Win32.Kido.o” by antivirus vendor Kaspersky Lab, this new variant has left many security threat researchers bewildered.
One conundrum: They don’t know why it has a kill switch that apparently kicks in on May 3.
Also, the new variant has a mysterious dropped component. It will eventually delete that component, and researchers are still trying to figure out why.
The new variant is not a single program but actually several related components, David Haley, director of malware intelligence at Eset, told TechNewsWorld. It is a subvariant of Conficker.A, the very first version of Conficker, which came out late in 2008, he said.
Security experts are still scrambling to unravel Conficker.AQ’s code, but they have come up with tidbits that raise more questions than they answer. Take the kill switch, for example. “We’re still trying to determine why Conficker will turn itself off on May 3,” Ivan Macalintal, a member of the Conficker Working Group, which was set up to fight the worm, told TechNewsWorld.
When the new variant is executed, it will drop a temporary file in the system folder. This poses yet another mystery. “We know it touches the TCP (transmission control protocol) and IP.sys files in memory, and that’s all,” Macalintal said. “We’re still working on analyzing it.”
Code analysis shows the temporary file will delete itself after serving its purpose, but nobody knows why, Macalintal said.
Some Gory Details
Conficker.AQ will copy itself to various locations and load and inject a library into the explorer.exe, services.exe and svchost.exe files, according to Eset. It will also register itself as a system service with a name that includes one of the following: App, Audio, DM, ER or Event.
Conficker.AQ will also delete some registry entries and terminate processes with any of these strings in the name: autoruns, avenger, bd_rem, cfremo and confick.
It disables the following service strings: Windows Security Center Service (wscsvc); Windows Automatic Update Service (wuauserv); Background Intelligent Transfer Service (BITS); Windows Defender Service (WinDefend); and Windows Error Reporting Service (ERSvc and WerSvc).
Teaming Up With Waledac?
After infected PCs downloaded Conficker.AQ, they attempted to access goodnewsdigital.com, a domain known to host the Win32/Waledac worm, and download print.exe, a new Waledac binary, Trend Micro said.
Waledac generates spam for outfits hawking fake high-end watches and for a well-known spam ring, Macalintal said. Waledac was also behind an e-card spam burst sent out on Valentine’s Day.
Thoughts of a tie-in between the two generates shivers down security researchers’ spines. “If there’s anything in that Conficker-Waledac connection, it could be a really big thing,” Macalintal said. “The Conficker Working Group is looking into this, as are we.” Macalintal is also a threat research manager at Trend Micro.
Just Checkin’ In
Conficker C, which was the last variant before Conficker.AQ, performs a few date and time checks, according to the CA Security Advisor Research Blog.
One time check occurs between 7:00 a.m. and 11:00 a.m., local system time. This is when people typically arrive at work and turn on their computers. The last date check happened on April 1, at which time the system was set to generate 50,000 domains from which to get instructions.
Conficker.AQ will continue the date and time checks by accessing servers at sites like MySpace.com, MSN.com, AOL.com, eBay.com and CNN.com. This does not indicate a sinister plan to corrupt those sites, nor does it imply any collusion between those sites and Conficker’s designers. “According to the code, it’s just to check for the date and time on various servers,” Macalintal said.
Here’s the painful truth: Conficker would not be anywhere near as effective as it is in growing if PC users had only kept up with their updates and patches. It leverages a vulnerability mentioned in Microsoft Security Bulletin MS08-067, which was published last October.
At the time, Microsoft warned that this vulnerability could allow remote code execution on various systems running the Windows operating system. “An attacker could exploit this vulnerability without authentication to run arbitrary code,” the bulletin said. “It is possible that this vulnerability could be used in the crafting of a wormable exploit.”
That frustrates researchers.
“If it wasn’t for such truly bad security practices on such a massive scale, Conficker wouldn’t be a problem anyway,” Randy Abrams, ESETs director of technical education, told TechNewsWorld.