Security experts nervously watching computers infested with the prolific Conficker computer worm say they have begun seeing infected hosts downloading additional software, including a new rogue anti-virus product.
Since its debut late last year, the collection of hundreds of thousands – if not millions – of systems sick with Conficker has somewhat baffled security researchers, who are accustomed to seeing such massive networks being used for money-making criminal activities, such as relaying junk e-mail.
Today, however, that mystery evaporated, as anti-virus companies reported seeing Conficker systems being updated with SpywareProtect2009, a so-called “scareware” product that uses fake security alerts to frighten consumers into paying for bogus computer security software.
According to Kaspersky Labs, once the scareware is downloaded, the victim will see the usual warnings, “which naturally asks if you want to remove the threats it’s ‘detected’. Of course, this service comes at a price – $49.95.” Kaspersky reports that the rogue anti-virus product is being downloaded from a Web server in Ukraine.
This development adds an interesting wrinkle. The first version of Conficker contained within its genetic makeup instructions telling infected systems to visit a site called TrafficConverter.biz. As I noted last month, this was a site where distributors of rogue anti-virus products would go for the latest programs and links to the latest download locations. Many affiliates were making six-figure paychecks each month distributing this worthless software by various means, all of them extremely sneaky if not downright illegal.
In its bi-annual security report released this week, Microsoft cited rogue anti-virus as one of the most prolific and fastest-growing threats facing Windows users today.
The rogue anti-virus software, however, was not the only piece of rubbish to be sent to Conficker infected systems this week. Researchers at Trend Micro reported the first stirrings of Conficker.C on Wednesday, when they noticed a new file show up in the temporary director of a number of test machines they’d infected with the worm. They later determined the file had been placed there via Conficker’s built-in peer-to-peer (P2P) communications capability, which allows large groupings of infected systems to hand off software updates and instructions being pushed out by the worm authors.
Trend found that the update was a version of the Waledac family of spam Trojans. Due to similarities in the code and other telltale signs, researchers consider Waledac to be the reincarnation of the “Storm worm,” a spam virus that also used a sophisticated P2P mechanism to spread and share updates.
The Conficker update also sets up a Web server on the infected system, re-enables the ability to spread itself through the Microsoft Windows vulnerability that caused the outbreak in the first place (this spreading capability was absent in the Conficker version prior to this update). It also instructs the Waledac component to remove itself if the date is on or after May 3, 2009.
Perhaps that is due to some ill-understood logic within Conficker, but not all of the systems infected with Conficker.C are receiving the latest updates, said Paul Ferguson, an advanced threat researcher at Trend.
“We’ve seen it happen very slow and staggered,” he said. “We have several nodes that have it and several that don’t.”
Ferguson said there are still several components tucked away in this Conficker update that researchers are struggling to unlock. But he said it’s evident the worm’s authors are ready to start putting it to work.
“There are still some unknowns here, but things are becoming a lot more clear, and it certainly seems they’re making a move here to finally monetize all this effort,” Ferguson said