14 DAY TRIAL // Researchers from antivirus vendor Symantec announce that an update has been delivered to some Conficker-infected computers. From the initial analysis, it looks like the new variant ups the stakes by generating 50,000 domain names per day instead of 250.
Conficker, also known as Downadup or Kido, is one of the most successful computer worms in the history of the Internet. Exploiting a November 2008 Windows vulnerability known as MS08-067, the worm has infected around 12 million systems at its peak, while its active botnet (army of zombie computers) is estimated at around 2 million.
Conficker uses an algorithm to generate domain names, to which it attempts to connect in order to receive commands and updates. Up until now, no update or command has been sent to the botnet by its creators, causing security researchers to speculate regarding the real purpose of the worm.
Faced with the massive amount of compromised computer systems, Microsoft has formed, along with other players in the industry, an anti-Conficker coalition, dubbed by the media "the Conficker cabal." This alliance leads a fight against the worm, one of its weapons being the registration in advance of the 250 daily-generated domain names used for updates.
The update noticed by the Symantec analysts shows a clear response to the cabal's work from the Conficker authors. A revamped algorithm now generates a staggering number of 50,000 domain names every day, with different TLDs (suffixes). This is likely to affect a lot of already-registered legit domains, and makes it nearly impossible for the coalition to pre-register all of them.
In addition, the new variant being pushed through the update mechanism attempts to neutralize various security applications that target the worm. In this respect, it kills all processes that contain certain strings, which are predefined in a list.
This new version currently has no means of propagating on its own and can only be pushed as an update. However, Peter Coogan, malware analyst at Symantec, explains that "These early findings may suggest that the Downadup authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines. Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation."