Microsoft Details the Evolution of $250,000 Conficker Worm

While April 1, 2009 went by quiet when it comes down to the Conficker worm, just a week later members of the security community have started to report detections of new variants of the malicious code in the wild. Microsoft confirmed that it had identified two new variants of the worm, for whose authors' arrest it offers a $250,000 award. Worm:Win32/Conficker.D and Worm:Win32/Conficker.E are the new binaries of the malware that need reported. Just a few days ago, security outfit BitDefender revealed that it had come across a new Conficker release featuring an evolved obfuscation layer as well as an enhanced list of blocked strings.

“We are pleased to inform that Microsoft products such as Windows Live OneCare, Windows Live OneCare safety scanner, and the Forefront family of products were able to detect both of these newly reported binaries with existing signatures, no update required as Worm:Win32/Conficker.gen!B and Worm:Win32/Conficker.gen!A. Specific detections have been added for the new variants as Worm:Win32/Conficker.D and Worm:Win32/Conficker.E,” revealed MMPC's Jimmy Kuo.

According to Microsoft, Worm:Win32/Conficker.D is nothing more than a minor variation of .D versions of the worm already in the wild. These Conficker.D bits are designed to block additional security solutions from running on infected computers via the following strings: bd_rem; cfremo; kill; stinger, while also blocking these domain substrings: activescan, adware, av-sc, bdtools, mitre, ms-mvp, and precisesecurity. The Worm:Win32/Conficker.E is reported by Microsoft as an evolution of Worm:Win32/Conficker.gen!A, with the Redmond company's security solutions detecting the malware without the need for any security updates.

Kuo revealed that Worm:Win32/Conficker.E also “exploits MS08-067; contains code to spread via network shares; drops a driver similar to early variants, using the same mechanisms as Conficker.B; opens a web listener on a pseudo-random port between 1024 and 9999 based on the volume serial number of the system drive; contains some of the same IP-filtering used in Conficker.D; deletes itself on and after May 3rd 2009; uses SSDP to find Internet gateway devices (i.e. routers) and issues a SOAP command on the device to open an external TCP port and redirect it to an internal IP:port; [and] drops a DLL component that contains P2P [peer-to-peer] functionality.”