Just a week after the April Fools Day hysteria surrounding Conficker.C, most have forgotten and gone on. Security researchers, however, have not, and have noted more activity and a possible connection to the spambot Waledac.Researchers at both TrendMicro and Symantec noticed new activity from a Conficker variant they've now labeled Conficker.E. The new variant spreads via peer-to-peer to update machines infected by earlier variants.
The activity they are witnessing also seem fairly benign. Conficker connects to major websites like MySpace, MSN, eBay, CNN, and AOL to get a simple time update.
Whereas the .C variant made burrowed its way into several areas of a computer to disable security communications and removal tools, the .E variant includes a previously unseen self-removal functionality to erase all traces of its presence from the infected host.
1. It patches “tcpip.sys” in order to increase the number of concurrent network connections available on the system.
2. The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.
3. This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.
4. This worm has the UPnP capabilities that we saw in previous versions of Downadup. The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks.
5. W32.Downadup.E will remove itself from the system on or after May 3, 2009.
The ultimate purpose of W32.Downadup.E is to install W32.Downadup.C on vulnerable systems. W32.Downadup.C will not be removed after May 3, 2009.
Thus, on May 3, 2009, this gives us yet another date to pay attention to. TrendMicro traced the worm to sources somewhere in Korea, and noted a possible connection to Waledac, one of the world's most active spambots.
Symantec confirms an apparent connection to Waledac, and suspects Conficker.C was instrumental in distributing Waledac, which "steals sensitive information, turns computers into spam zombies, and establishes back door remote access.
Because Waledac is a reiteration of the famed Storm botnet, researchers also suspect all three pieces of malware are connected, perhaps created by the same cybercriminal source.
Malicious Code Analysis
Technical writeup of Conficker.E
W32.Downadup.E—Back to Basics
netizens left a footprint.