More than a week after its April 1 deadline, the Conficker C worm released an update that could activate the botnet to deliver spam and turn infected PCs into zombies.
Researchers say that the latest update could include a connection between the Conficker worm to the active spam bot W32.Waledac. Specifically, researchers said they have seen circumstantial evidence that the latest strain of Conficker, known as Downadup E, might drop a Waledac binary on machines infected with Conficker C. That binary is designed to steal information and turn infected PCs into spam-spewing drones under the control of the malware authors, experts say.
"We got a first look at the payload and we're still looking at this one, a worm or Trojan called Waledac associated with tons of spam," said Vincent Weafer, vice president of Symantec Security Response. "Ultimately it's about information stealing."
More Conficker updates could include widespread distribution of Trojans, keystroke loggers and other malware designed to grab user credentials and steal personal and financial information later down the road, Weafer said. "And then what's left is a very robust botnet," he added.
April 1 marked the day the Conficker worm was scheduled to undergo an update that provided a new domain generation algorithm allowing the infected computers to "call home" to about 500 of the 50,000 newly generated domains, possibly for new instructions.
The new strain of the Conficker worm updates machines infected with Conficker C to the new strain, known as Downadup E via peer-to-peer techniques.
Researchers said that they've seen a few differentiators from the previous Conficker C.
The updated Conficker prefers to travel through peer-to-peer networks to distribute its new version E. However, researchers say that the new sample doesn't appear to include new infection vectors that might allow it to propagate faster or onto new machines.
The latest version also incorporates a previously unseen self-removal functionality that is programmed with the ability to eliminate itself from infected hosts on May 3, and reaches out to a new list of high-profile domains.
Before its update April 1, Conficker C was renowned for exhibiting an array of sophisticated self-preservation techniques, which included blocking access to security vendor sites, dodging numerous antivirus products, and disabling Windows automatic updates. In addition, Conficker C has the ability to patch its own vulnerability once it has infected a machine, presumably to prevent competing malware from attacking the same host.
The earliest Conficker variants, Conficker B, and its predecessor Conficker A, had unique abilities to replicate and spread rapidly, infecting millions of PCs with techniques that ranged from brute force password guessing to transmission through USB sticks and peer-to-peer networks. Experts say that the highest rates of infections were found primarily in Latin America and other markets that rely on pirated Windows software, which doesn't receive security updates.
Meanwhile, the entire upgrade is anticipated to take weeks to months, Weafer said.
"We describe this as step five of a 1,000-step chess match. This is going to go on for a while," Weafer said. "This is not going to be an overnight upgrade."
