Trend Micro picks up on a heavily encrypted component

Apr 9, 2009 10:42 GMT  ·  By

Trend Micro malware analysts have noticed an update being pushed to computers infected with Conficker, through the worm's peer-to-peer communication protocol. The new component features a self-destruct mechanism and points to a connection with the Waledac family of malware.

The analysis was slow-paced, because the file featured heavy obfuscation. According to researchers, the new component was downloaded via peer-2-peer from a server located in Korea, known to be a Conficker IP node.

Being detected as WORM_DOWNAD.E by Trend, this update installs a new service under a random name and drops a corresponding randomly named executable file. The temporary update file is removed afterwards. The component will start propagating to other computers via the same MS08-067, but it is set to stop doing it on May 3, for yet unknown reasons. It also acts as an HTTP server, broadcasting on port 5114.

The worm will connect to several websites including MySpance, MSN, eBay, CNN and AOL, most likely in order to determine if an Internet connectivity is present. However, those domains are not at risk of being flooded with requests, because this update is not being pushed to all Conficker-infected machines at once.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!," the researchers conclude.

One of the most interesting aspects of this update is that it also attempts to download another encrypted file from a domain name associated with the Waledac-family of worms. Waledac is considered by many security professionals the successor of the infamous Storm, because of the many similarities between the two.

"This new Downad/Conficker variant is talking to servers which are known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the 'other boot dropping' that we have all been waiting for?," Rik Ferguson, solutions architect at Trend Micro, rhetorically asks.

This report from Trend comes after yesterday, another anti-virus vendor, Bitdefender, announced the discovery of a different Conficker variant, which had been in circulation since March 18, but went unnoticed. The version featured improved obfuscation and blocked access to more security-related websites.