cancel
Showing results for 
Search instead for 
Did you mean: 

Conficker.E - P2P Updates Have Started for new variant

Trend is calling the latest variant Conficker "E". As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating.

Conficker.E - P2P Updates Have Started for new variant
http://blogs.zdnet.com/BTL/?p=16082
http://isc.sans.org/diary.html?storyid=6157
http://news.cnet.com/8301-1009_3-10215678-83.html

QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.

Conficker.E - Trend Micro Information
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
http://blog.trendmicro.com/a-look-inside-conficker-p2p-traffic/

Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

-- (Un)Trigger Date – May 3, 2009, it will stop running
-- Runs in random file name and random service name
-- Deletes this dropped component afterwards
-- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
-- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
-- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com
-- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc
4 Replies

RE: Conficker.E - P2P Updates Have Started for new variant

ISC is reporting this resource is now offline ... Not sure if it's related to new variant?

Conficker Working Group site down
http://isc.sans.org/diary.html?storyid=6163

Conficker Instant Test for infections (offline currently)
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

RE: Conficker.E - P2P Updates Have Started for new variant

McAfee information as AVERT labs has also documented this new threat:

DAT release 5579 or higher provides protection.

McAfee information
http://www.avertlabs.com/research/blog/index.php/2009/04/09/new-conficker-variant/

McAfee - Conficker Resource Center
http://www.mcafee.com/us/threat_center/conficker.html

McAfee Stinger - Can now clean latest variant
http://vil.nai.com/vil/stinger/

RE: Conficker.E - P2P Updates Have Started for new variant

DAT 5579 just become available happy ... I'm downloading SuperDAT version now.

UPDATE -- New DAT is working well at work and home

RE: Conficker.E - P2P Updates Have Started for new variant

More details have surfaced from F-Secure's blog ...

Conficker.E - Additional information on new Variant
http://www.f-secure.com/weblog/archives/00001652.html

QUOTE: A new variant of Conficker was found yesterday. We're still investigating the files but here's what we know so far.

• On April 8th a new update was made available to Conficker.C infected machines via the P2P network

• The new file, which we call Conficker.E, is executed and co-exists alongside the old infection

• Itre-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.

• There's a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.

• There's also a connection to rogue anti-virus products as we've seen it end up on Conficker.C infected machines. The rogue product wasSpyware Guard 2008.

Conficker.E deletes itself if the date is May 3, 2009 or later.


More cleaning tools and resources in links below :

CWG Home Page
http://www.confickerworkinggroup.org/wiki/pmwiki.php/Main/HomePage

CWG Recommended Repair Tools
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/RepairTools

ISC Comprehensive list of repair tools
http://www.dshield.org/diary.html?storyid=5860