Warning: Conficker worm finally wakes up

Davey Winder
Friday, 10 April 2009 05:25

Business IT - Technology

Could the speculation surrounding the Conficker payload be coming to an end as the latest variant of the virulent worm reveals its hand in the form of links to the Waledac malware family and talk of rogue antivirus installations?

For many people, admittedly much the same people who thought the world would end when we entered the year 2000 courtesy of the mythical Millennium Bug, April 1st was the day that the Conficker worm would start causing havoc.

Of course, as reported on iTWire, the predicted tech apocalypse never happened. However, we also made it clear that the chances were pretty high that a payload would be revealed before too long.

Now it seems that Conficker has, indeed, revealed its hand. According to TrendLabs security researcher Ivan Macalintal, a new variant has gone live which sheds light on the payload question.

The Conficker 'WORM_DOWNAD.E' variant has started spreading using the P2P functionality of existing worm infections, and has started talking to a known malware server with links to the Waledac family.

This communication is done in order to download additional malicious components, and the bad news is that Waledac is widely suspected to be the current plaything of the gang that was previously behind the Storm botnet.

Security specialists Trend Micro confirms that it has monitored connection attempts to a known Waledac domain in order to download encrypted files.

Trend Micro says that the "Conficker botnet has awakened" and infected nodes are "pulling down new Waledac binaries" which could be used for spamming but also there has been evidence of the installation of "Fake/Rogue AntiVirus" malware as well.

Interestingly, it also would appear that the latest Conficker variant issues instructions to remove itself from an infected PC on 3rd May this year. Of course, no such instruction is coded for the Waledac botnet infection.