In the end, the criminals behind the Conficker worm only waited a week to update the malicious program.
On late Tuesday, computers infected with the worm began downloading new commands to modify how the Conficker functions, security firms reported. The latest modifications to the program — also referred to as Downad, Downadup and Kido by different security companies — reactivates the worm's ability to spread using a flaw in Microsoft Windows and redirects most communications through the program's peer-to-peer network, said Stephan Chenette, manager of security research for network-protection firm Websense.
The latest update also causes compromised computer to go to a domain known to host a malicious program known as Waledac. The addition of peer-to-peer networking — a characteristic feature of Waledac and its cousin, the Storm Worm — suggests that the programs share the same creator or that the creators have some sort of relationship, Chenette said.
"Peer-to-peer is going to become a large part of what Conficker will use for updates and command and control," he said. "It is the same thing that Storm and Waledac did."
With the peer-to-peer update, the authors of the Conficker worm dodged the efforts of defenders to prevent the program from getting an upgrade. The mainstream media had focused on April 1 — the day that the previous version of Conficker would start searching through 50,000 random domains daily — as D-Day for the security community. Instead, the authors waited a week and never even used the Internet drop, or rendezvous, point system on which remediation efforts had focused.
Researchers with the Conficker Working Group, formerly called the Conficker Cabal, continued to analyze the latest cod, said Websense's Chenette. The current version also has an expiration date, after which the worm will likely stop trying to spread, but may keep listening for new commands sent through the peer-to-peer network.
"We are all still trying to figure out all the particular details of the new Conficker binary," Chenette said. "We are all trying to put this together — what this is doing and what it is ... As they change their methods, so we have to change they way we do our analyses. It takes a little while, but we will get all the details in time."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos