Network News

X My Profile
View More Activity

Conficker Worm Awakens, Downloads Rogue Anti-virus Software

Security experts nervously watching computers infested with the prolific Conficker computer worm say they have begun seeing infected hosts downloading additional software, including a new rogue anti-virus product.

Since its debut late last year, the collection of hundreds of thousands - if not millions - of systems sick with Conficker has somewhat baffled security researchers, who are accustomed to seeing such massive networks being used for money-making criminal activities, such as relaying junk e-mail.

Today, however, that mystery evaporated, as anti-virus companies reported seeing Conficker systems being updated with SpywareProtect2009, a so-called "scareware" product that uses fake security alerts to frighten consumers into paying for bogus computer security software.

According to Kaspersky Labs, once the scareware is downloaded, the victim will see the usual warnings, "which naturally asks if you want to remove the threats it's 'detected'. Of course, this service comes at a price - $49.95." Kaspersky reports that the rogue anti-virus product is being downloaded from a Web server in Ukraine.

This development adds an interesting wrinkle. The first version of Conficker contained within its genetic makeup instructions telling infected systems to visit a site called TrafficConverter.biz. As I noted last month, this was a site where distributors of rogue anti-virus products would go for the latest programs and links to the latest download locations. Many affiliates were making six-figure paychecks each month distributing this worthless software by various means, all of them extremely sneaky if not downright illegal.

spywareprotect.JPG

In its bi-annual security report released this week, Microsoft cited rogue anti-virus as one of the most prolific and fastest-growing threats facing Windows users today.

The rogue anti-virus software, however, was not the only piece of rubbish to be sent to Conficker infected systems this week. Researchers at Trend Micro reported the first stirrings of Conficker.C on Wednesday, when they noticed a new file show up in the temporary director of a number of test machines they'd infected with the worm. They later determined the file had been placed there via Conficker's built-in peer-to-peer (P2P) communications capability, which allows large groupings of infected systems to hand off software updates and instructions being pushed out by the worm authors.

Trend found that the update was a version of the Waledac family of spam Trojans. Due to similarities in the code and other telltale signs, researchers consider Waledac to be the reincarnation of the "Storm worm," a spam virus that also used a sophisticated P2P mechanism to spread and share updates.

The Conficker update also sets up a Web server on the infected system, re-enables the ability to spread itself through the Microsoft Windows vulnerability that caused the outbreak in the first place (this spreading capability was absent in the Conficker version prior to this update). It also instructs the Waledac component to remove itself if the date is on or after May 3, 2009.

Perhaps that is due to some ill-understood logic within Conficker, but not all of the systems infected with Conficker.C are receiving the latest updates, said Paul Ferguson, an advanced threat researcher at Trend.

"We've seen it happen very slow and staggered," he said. "We have several nodes that have it and several that don't."

Ferguson said there are still several components tucked away in this Conficker update that researchers are struggling to unlock. But he said it's evident the worm's authors are ready to start putting it to work.

"There are still some unknowns here, but things are becoming a lot more clear, and it certainly seems they're making a move here to finally monetize all this effort," Ferguson said.

Update, 12:54 p.m. ET: Just wanted to remind readers about Conficker detection and removal advice. You can tell whether your system is infected with this worm by visiting this page here and viewing the results of the eye chart.

If you have Conficker on your system, you will not be able to use that computer to visit most security sites. There are a few exceptions. For instance, Conficker blocks infected systems from visiting F-Secure.com, but not fsecure.com, which is the same domain. They have a removal tool, available here that you should be able to grab.

By Brian Krebs  |  April 10, 2009; 7:00 AM ET
Categories:  Fraud , Latest Warnings , Safety Tips  | Tags: conficker worm, rogue anti-virus, russkranians, scareware, spywareprotect2009  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Digital Pearl Harbor, Cyber 9/11, and E-Qaeda
Next: Report: China, Russia Top Sources of Power Grid Probes

Comments

Curioser and curiouser!

Posted by: lostinthemiddle | April 10, 2009 7:33 AM | Report abuse

Yes, it had to do something eventually - I guess the 1 April thing was to get us all into a false sense of security.

There are increasing numbers of these 'scareware' scams and some of them look very convincing. As well as trying to con you out of money they can also install trojans and other malicious programs. The only protection is to get an effective antivirus program from one of the major companies. Most of them do free trials, so you have nothing to lose.

Windows security updates are important (http://windowsupdate.microsoft.com), but this alone will not protect you from conficker if it was already on your computer before.

Posted by: datadefender | April 10, 2009 9:09 AM | Report abuse

So how do we check for it and what do we do about it?

Posted by: kmcnyasha | April 10, 2009 9:17 AM | Report abuse

There is a free scan from MS for the virus. Here is the link:

http://support.microsoft.com/contactus/?ws=mscom

Posted by: prouddem | April 10, 2009 9:26 AM | Report abuse

On April 10, 2009 9:17am kmcnyasha wrote:

> So how do we check for it and what do we > do about it?

http://www.confickerworkinggroup.org/wiki/

Click "Check for Infection".

Posted by: jas_john128 | April 10, 2009 10:24 AM | Report abuse

Didn't download the OS patches that are provided free and for no money. Didn't install anti-virus software and/or didn't update anti-virus software. You are my client. I make a living off of the ignorant. Please continue. I have bills to pay.

Posted by: buddecj | April 10, 2009 10:37 AM | Report abuse

My computer at work got infected yesterday. It kept popping up "SpywareProtect 2009" and it hijacked my browser - it wouldn't let me search for "spywareprotect" in Google. Our IT person did a System Restore to an earlier date, then ran a virus scan, and everything was fine.

Posted by: megola3000 | April 10, 2009 10:59 AM | Report abuse

We probably shouldn't jump to conclusions so quickly. It's already well-known that whoever wrote this worm reacts to news reports about it. If this worm was really circulated by some nefarious agency, they would have a lot of incentive to download some crappy spam-remover tool to mislead investigators about the purpose of this worm. This could be a purely commercial effort, but it sure seems sophisticated...

Posted by: jerkhoff | April 10, 2009 12:47 PM | Report abuse

YAWN... all these PC viruses and the Mac repair man has nothing to do ....

Posted by: kkrimmer | April 10, 2009 1:29 PM | Report abuse

Nice new layout. :)

Posted by: Rixstep | April 10, 2009 1:47 PM | Report abuse

I wonder if Microsoft's reward has crimped their business plan?

Anyone who contracts with the Conficker owner to use these machines (for spam, or scareware, or whatever) has to be given some way to pay them. Presumably the authorities could use that info to track down the owners. So the Conficker owners have to somehow guarantee that their clients will earn more from using their "service" than from simply turning them in for the reward.

Of course the clients would be implicated in a crime as well, so they could be loath to do that. But a prosecutor might drop those charges to get the infamous Conficker authors.

Posted by: iMac77 | April 10, 2009 2:04 PM | Report abuse

I beg to differ with those of the opinion that the only method to prevent malware is to use obsolete blacklisting technology. There are several good endpoint security products out there that utilize whitelisting. Rather than requiring the endpoint security product to know (and have a signature for) each and every malware package, whitelisting products allow the administrator to protect the known good applications and not worry about anything that is unapproved for whatever reason. Currently these whitelisting technologies are primarily focused on the enterprise. Soon they'll be available for consumers as well.

PC

Posted by: preston4it | April 10, 2009 3:10 PM | Report abuse

megola3000 your machine was most likely hijacked long before SpywareProtect 2009 popped-up.

Read Brian's blog entry above again and you'll see that your conficker infected machine downloaded the new functionality over the past day or so.

Posted by: Annorax | April 10, 2009 5:33 PM | Report abuse

There is an easy fix for this and every other virus that hits Windoze PC users... Use a Mac :-)

Still zero viruses in the wild for the Mac and as a professional Network Security Engineer, that lets me sleep well at night even as my 8 year old surfs the net from her Mac.

When will Windoze Loosers learn??

Posted by: Derek4 | April 10, 2009 6:48 PM | Report abuse

"When will Windoze Loosers learn?"

Lol'sers.

Posted by: lostinthemiddle | April 10, 2009 7:47 PM | Report abuse

I like the new blog layout too, BK. I showed my Internet students how to find your blog the other day, and the new layout will make it easier for them to find the information they need to know to keep their computers safe.

Posted by: Heron | April 11, 2009 10:38 AM | Report abuse

Heron

Nice to see you back again.

Posted by: brucerealtor@gmail.com | April 13, 2009 12:22 AM | Report abuse

Still zero viruses in the wild for the Mac and as a professional Network Security Engineer, that lets me sleep well at night even as my 8 year old surfs the net from her Mac.
-----------------------------------
A "professional network security engineer" makes the statement "Still zero viruses in the wild for the Mac"? Fine, but I can't help but laugh. We know Mac OS and assorted apps like QT have documented vulnerabilities. Why don't criminals exploit them? Perhaps it's because criminals would rather exploit a ubiquitous OS than to waste time on a niche OS used by comparatively few users. Add in the fact a lot of persons using Windows have pirated versions ineligible for security updates. Those items alone explain to a great degree the criminal preoccupation with Windows.

I certainly wouldn't let my eight year old surf the Web on my Mac (I do have one) while I slept, unless I used safety tools like OpenDNS. Unless the Mac also prevents them from surfing porn ;)


Posted by: pga6 | April 13, 2009 1:57 PM | Report abuse

The rogue, Spyware Protect 2009, being downloaded by Conficker is actually not new. It was first found in mid January 2009. A removal guide for it is here:

http://www.bleepingcomputer.com/malware-removal/remove-spyware-protect-2009

These rogues generate a tremendous amount of money for these malware writers as Brian already reported. I can't imagine the revenue they are going to be able to scam from this one.

Posted by: Grinler | April 13, 2009 3:59 PM | Report abuse

In realm of diseases when one is faced with a pathogen such as a virus a doctor would use an agent that would arrest the disease and bring it under control. In the struggle for control over the Internet viruses, Trojans, malware, and worms are used in order to take control over vast networks of home based computers. When a body is sick it produces its own antigens in order for the body to overcome the illness, and if the body can not protect itself through it own immunity system a health practitioner would proscribe medication to aid the body in its recovery and defense against the disease. Why is it that the diseases that afflict the Internet is a passive system and not an active system like that of our immunity system, responding to the introduction of pathogens into the body electric. The Internet is an organism and the diseases are the viruses, malware, Trojans and worms that are opportunistic diseases that want to destroy and control the organism.

Hackers can take control over so many systems because there are so many that are not protected against anything. I have talked to many a friend that had just brought their first PC,and they ask me why their computers are of infected and I ask them what anti-virus software they are running; they respond with a look of duh. I believe that it is easy for a person, or group to take control over a million plus computers because sales people do not tell them that they need it. Security specialist should go to places like Best Buy and ask how many leave the store without security software pre-installed in the systems that they sell. You can count on those being bot-netted as soon as they turn the power on. If we want to stop the disease at its source, start with where the PCs are being sold, and the lack of PC education on the part of PC consumers. An educated PC'er is our best customer.

Posted by: kristianna276 | April 14, 2009 10:03 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company