Conficker.E - P2P Updates Have Started for new variant - Harry Waldron

Community

Email Notifications

Personal Links

Harry Waldron - IT Security

Security Developments, Software Updates and Best Practices

Conficker.E - P2P Updates Have Started for new variant

Lightning Trend is calling the latest variant Conficker "E". As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating.

Conficker.E - P2P Updates Have Started for new variant
http://blogs.zdnet.com/BTL/?p=16082
http://isc.sans.org/diary.html?storyid=6157
http://news.cnet.com/8301-1009_3-10215678-83.html

QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.

Conficker.E - Trend Micro Information
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
http://blog.trendmicro.com/a-look-inside-conficker-p2p-traffic/

Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

-- (Un)Trigger Date – May 3, 2009, it will stop running
-- Runs in random file name and random service name
-- Deletes this dropped component afterwards
-- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
-- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
-- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com
-- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc

Storm McAfee information as AVERT labs has also documented this new threat:

DAT release 5579 or higher provides protection.

McAfee information
http://www.avertlabs.com/research/blog/index.php/2009/04/09/new-conficker-variant/

McAfee - Conficker Resource Center
http://www.mcafee.com/us/threat_center/conficker.html

McAfee Stinger - Can now clean latest variant
http://vil.nai.com/vil/stinger/

Storm ISC is reporting this resource is now offline ... Not sure if it's related to new variant?

Conficker Working Group site down
http://isc.sans.org/diary.html?storyid=6163

Conficker Instant Test for infections (offline currently)
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

Posted: Apr 09 2009, 06:08 AM by Harry Waldron | with 1 comment(s)

Comments

extra exploit said:

Hi to all,

I don't understand what will happen in the 3rd of may 2009. On my analysis I have saw that for the date below the 3 may it's dropped and executed a service on infected machine. Is this correct ?. For this analysis in draft mode I have post some screenshot on my blog: extraexploit.blogspot.com

regards

# April 22, 2009 10:55 AM

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.

Recent Posts