Features revamped obfuscation and blocks more domains

Apr 8, 2009 09:25 GMT  ·  By

The malware researchers from anti-virus vendor Bitdefender have identified a new variant of the infamous Conficker worm. Its analysis has revealed an improved obfuscation layer and additional blocked strings.

Conficker, also known as Downadup or Kido, is one of the most complex and well-written pieces of malware that security researchers have seen in recent years. The original variant, Conficker.A, appeared back in November 2008, soon after Microsoft broke its patch cycle in order to release MS08-067, a fix for the critical remote code execution vulnerability in the Services service that the worm exploits in order to spread.

December 2008 saw the release of Conficker.B, the most successful variant to date, which infected an estimated number of 12 million computers at its peak. This was followed by another seriously revamped version, initially dubbed Conficker.B++. Security experts speculated that this update aimed at combating the efforts of the Conficker Cabal, a coalition of industry organizations and companies collaborating to fight the worm. Conficker.B++ is currently better known as Conficker.C.

Bitdefender announced yesterday that it had identified a new variant, but details were scarce, as it was still being analyzed. New information will be posted when it becomes available, the company's press release reads. However, our inside sources at Bitdefender have been able to provide us with more insight into this incident.

According to them, the analysts got suspicious after a customer reported that he could not access www.bdtools.net, the website used by Bitdefender to host free removal tools, from his computer infected with Conficker. This was particularly interesting, because the domain name was not amongst the ones blocked by the known variants of the worm. After securing a sample and analyzing it, the researchers concluded that they were dealing with a new version.

Even though it does not bring radical changes, like Conficker.B or Conficker.C do, this variation has an extended blacklist. The newly added strings, used by the worm to block access to domains or executables containing them, are: precisesecurity, ms-mvp, mitre, enigma, bdtools, av-sc, adware, activescan, stinger, kill, cfremo and bd_rem. Downadup also features two layers of obfuscation to prevent analysis and detection. However, our sources have informed us that, in this variant, the primary obfuscation layer is heavily modified and seems to have been particularly designed to block emulation.

Bitdefender has determined that this new version has actually been in circulation since around March 18th, but pretty much passed unobserved. It is currently detected as Win32.Worm.Downadup.Gen, under a generic routine able to identify any known variant of Conficker. The users who cannot access the www.bdtools.net website in order to obtain Bitdefender's free Conficker removal tool can download it from our secure servers. Furthermore, people having trouble executing the tool on infected computers, should rename it to something random and try again.

Photo Gallery (2 Images)

New Conficker variant analyzed by Bitdefender researchers
New Conficker variant blocked by Bitdefender Antivirus
Open gallery