Conficker.E - P2P Updates Have Started for new variant

Posted Thursday, April 09, 2009 3:14 PM by hwaldron

Trend is calling the latest variant Conficker "E".  As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating.

Conficker.E - P2P Updates Have Started for new variant
http://blogs.zdnet.com/BTL/?p=16082
http://isc.sans.org/diary.html?storyid=6157
http://news.cnet.com/8301-1009_3-10215678-83.html
http://securitylabs.websense.com/content/Alerts/3338.aspx

QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.  The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.

Conficker.E - Trend Micro Information
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
http://blog.trendmicro.com/a-look-inside-conficker-p2p-traffic/

Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

-- (Un)Trigger Date – May 3, 2009, it will stop running
-- Runs in random file name and random service name
-- Deletes this dropped component afterwards
-- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
-- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
-- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com
-- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc

Comments

No Comments