14 DAY TRIAL // A nasty piece of malicious code worth no less than $250,000 to Microsoft, has evolved to a new stage, and is now enjoying additional functionality. Microsoft has confirmed that it detected new samples of Win32/Conficker in the wild, and that it has updated the antivirus definitions consequently. The new version of the worm, which is capable of infecting all Windows client and server operating systems, including Windows XP SP3, Windows Vista SP1 and Windows 7 Beta, now also comes in the Conficker.B++ or Worm:Win32/Conficker.C flavor, in addition to the existing Worm:Win32/Conficker.A and Worm:Win32/Conficker.B.
“The new sample has modifications which introduce new backdoor functionality. Previous versions of Conficker patched netapi32.dll in memory to prevent further exploitation of the vulnerability addressed by bulletin MS08-067. We’ve discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload. The payload only executes if it is successfully validated by the malware. However, there doesn’t appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant,” revealed Microsoft's Tareq Saade and Ziv Mador.
Microsoft revealed that, despite the update, the definitions for Worm:Win32/Conficker.B were also capable of detecting Worm:Win32/Conficker.C. However, because of the updated functionality, the Redmond company acknowledged the need to bring definitions on par. In this regard, the upcoming Malware Removal Tool will identify and remove Worm:Win32/Conficker.C.
“This change may allow the author to distribute malware to machines infected with this new variant. This might be a response to the fact that they no longer have the ability to register many of the Conficker domains. For our fellow researchers who may be trying to locate a sample, one such SHA1 is 0e24424f5dfbe391e2e834e7f22c758a63eab6ba. However, note that this is a polymorphic threat,” Mador and Saade added.
Also dubbed Downadup, Conficker was initially associated with a Critical vulnerability in Server Service patched by Microsoft in October 2008. The worm spreads itself not only via the security flaw, but also through removable media via Autorun, and unprotected network shares. Last week, the software giant announced that it would pay no less than $250,000 as a reward for the persons that would supply information leading to the arrest and conviction of Conficker's authors. The reward is valid internationally and is not claimed as of yet.