Conficker.C Worm Activity DetectedBy: Dennis Dwyer
Previously, the April 1st "activation date" of the Conficker.C worm was hyped as a doomsday. As Joe Stewart explains in the previous post, an update to the worm used a new algorithm to generate 50,000 domain names which could potentially be used as update or command and control servers. Conficker A and B variants chose from a list of only 250 domain names per day.
A week later, Conficker's authors seem to be up to no good, as Conficker.C has just started delivering a nasty cocktail. It is interesting to note that the updates were sent to infected machines via P2P, not HTTP. This may mean that using the list of 50,000 possible domains for updates was a red herring. Another possible reason behind the use of P2P updates as opposed to HTTP is perhaps controls and mitigations put in place by security vendors were sufficient enough to warrant the use of P2P instead.
The SecureWorks Counter Threat Unit has observed Conficker.C installing Waledac. Waledac then installs the rogue security product Spyware Protect 2009. At some point, users of these machines will see popups trying to get users to pay for the software at a price of $49.95. The SecureWorks CTU continues to monitor and protect against this threat.