Conficker.E to self-destruct on May 5th?

Meanwhile Conficker.C is on fraudware spree

The evolution of the multi-faceted Conficker worm is expected to take another turn this May 5th when the latest version, Conficker.E, will simply self-destruct on infected machines, say a number of security researchers.

F-Secure, Trend Micro and SecureWorks are among those that believe Conficker.E--first spotted just this April and probably created by the same attackers that since last fall let loose the Conficker.A through Conficker.C variants--has been designed to simply self-detonate on May 5th.

"It will simply self-destruct," says Mikko Hypponen, chief research officer at F-Secure, pointing out that researchers, who had been arguing over name for variants, agreed to skip past the name "Conficker.D" entirely to settle on the name "Conficker.E."

But even if Conficker.E does simply self-destruct as expected, that still leaves millions of Windows-based computers around the work infected with Conficker.C, which has become active this month in terms of beginning to try and lure victims to fake anti-virus sites--some dub it "fraudware"--to get victims to pay US$50 or so to get rid of Conficker.C.

"We're starting to see some revenue generation," said Phillip Porras, program director in the computer sciences laboratory at SRI International, in a presentation he gave today at the RSA Conference here concerning Conficker. "We're starting to see some business models come out of it."

Security researchers in industry and government are using various means to monitor Conficker.C behavior (which can block over 114 legitimate anti-virus sites and now works in conjunction with the botnet Waledec).

Porras said Conficker.C is involved in an elaborate process to sell fake anti-malware software. When it gets into infected machines, it can direct victims toward Web sites believed to be selling fraudware.

One of those sites appears to be registered in the Ukraine selling the SpywareProtect portfolio, associated with "Ukraine Bastion Trade Group," for example, he said. But Conficker was not necessarily created by this group and researchers are still in the dark about who originates and controls the complex Conficker command-and-control system.

Despite the efforts of the Conficker Working Group, a group which now has 300 experts from industry and government dedicated to do what they can to identity the source of Conficker and stop it, efforts so far have not been successful.

"They've gotten around blocks to shut it down," said Porras, noting the complexity of the Conficker effort suggests a gang, rather than one individual, sharing expertise.

As for the anticipated self-destruction of the Conficker.E variant, researchers say there are strange aspects of it.

"Conficker.E has two parts of it," says Joe Stewart, director of malware research at SecureWorks, describing it basically as breaking up what were earlier combined functions of scanning/spreading and getting downloads, such as through peer-to-peer rendezvous.

But Conficker.E, seen only since mid-April, never seemed to work that well--which was a surprise to researchers since the upgrade path so far for Conficker has been quite impressive technically.

"Some of the functionality in .E doesn't work," says Stewart. Conficker.E, he says, may be a new anti-malware attempt that simply wasn't good enough, or it may be a deliberate "distraction" by attackers to throw a little dust in the eyes of researchers. "They may be working on a more advanced version," says Stewart.

No one besides the Conficker attackers seems to know what will come next, but most researchers see financial gain to clearly be its use at present.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags confickerf-securemalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?