Conficker Worm Strikes Back With New Variant

The Conficker/Downadup worm managed to slither onto millions of PCs worldwide at its height, but after it initially infected a computer it only really acted to spread itself, and didn't cause further harm. Until now.

Symantec reports today that it has found a new variant of the virulent worm that will identify antivirus software or security analysis tools running on the infected PC, and attempt to shut down those programs. This is a strong signal that the worm's mysterious creators haven't abandoned their creation in the face of worldwide attention, as some in the industry have theorized, but may still have plans to make a buck off their work.

Vincent Weafer, Vice President, Symantec Security Response, says the company has only seen the new variation as an update that was sent to an existing worm on a honeypot (a machine that's purposely left infected to watch for updates and changes). Symantec hasn't yet seen this functionality in a new worm variant that can spread on its own, Weafer says, but that may be coming.

In addition to the strike against security software, which is a common tactic for malware, the new functionality also expands the lists of domains Conficker will check each day for updates from 250 to 50,000. This is a clear attempt to counter an industry coalition that attempts to block access to those domains each day.

That coalition is largely successful, Weafer says, but while the worm's ability to reach a domain for an update is much lowered, it's not zero. And if one infected PC in a network can sneak through to pick up this update, it may be able to spread it to other already infected PC's using a peer-to-peer ability. Weafer estimates current infections in the hundreds of thousands, down from millions after a heavy worldwide cleanup effort.

Also, Symantec is still in the process of investigating the new code, according to Weafer, and may still find other new tricks in the new variant.

To protect against the Conficker worm, first make sure you've installed the patch that closes a targeted hole in the Microsoft Server Service. Next, protect any network shares and administrator accounts with a strong password, as Conficker will try to guess easy ones.

Finally, you can block the worm's third infection, which hijacks thumb drives and other removeable media, by disabling Autorun on Windows. PC World has a download available that can automate that step for Windows XP users, and Microsoft has posted manual instructions. Check my original Conficker post for more information on how it spreads.

Subscribe to the Security Watch Newsletter

Comments