Days after the April 1st activation date of Conficker, nothing interesting was seen so far in our Downad/Conficker monitoring system except the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.
Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.
Checking also on traffic captures show that there was no HTTP download that occurred somewhere around that time frame, which was from April 7, 2009 at 07:40:00 up to April 7, 2009 at 07:42:00. However, we noticed a huge encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.
The size of the encrypted TCP blob pretty much matches the size of the binary that got created in the aforementioned folder. There are some additional bytes, which could be the headers and keys that Conficker/Downadup has been known to use.
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:
- (Un)Trigger Date – May 3, 2009, it will stop running
- Runs using a random file name and random service name
- Deletes this dropped component afterwards
- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
- Opens port 5114, and serves as an HTTP server by broadcasting via SSDP request
- Connects to the following sites:
It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.
Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary described below (07:41:23):
The domain currently resolves to an IP address that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary.
Two things can be summed up from the events that transpired:
- As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
- Conficker-Waledac connection? Possible, but we still have to dig deeper into this…
Research and collaboration is currently ongoing in our own labs, as well as within the Conficker Working Group, and will update this blog post for new findings.
Thanks to Joseph Cepe and Paul Ferguson for working on additional information for this entry.
UPDATE: 10:50 PDT, 9 April 2009:
Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about — these criminals are motivated by one thing: money.
How was Downad/Conficker helping them meet their goals? It wasn’t. A very large botnet of compromised computers doesn’t make money if it justs “sits there” doing nothing.
So now we saw — as described above — that the Downad/Conficker botnet has awakened, and perhaps their desire to monetizing their efforts is becoming more clear.
In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue AntiVirus (AV) malware, too. See screenshot below:
As we have seen, the ongoing Rogue AV efforts by this criminal organization has been widespread, pernicious, unabated, and obviously profitable.
Stay tuned — this situation is still unravelling.
– Paul Ferguson, Threat Reasearch
To have a view of past WALEDAC activity, you may visit the following links below:
• DOWNAD/Conficker Watch: New Variant in The Mix?
• Waledac Spamming Image Hosting and Italian Job Offers
• WALEDAC Spamming Madness
• Waledac Localizes Social Engineering
• WALEDAC Spreads More Malware Love
• What is Old is New Again: Malicious New Year e-Card Spam
• Fake Obama News Sites Abound
• WALEDAC Loves (to Spam) You!
• Just Got Unlucky: Part 3
FAKEAV variants have also been making the rounds since early this year, as can be seen on the following posts:
• What Will Go DOWNAD on April 1?
• Crack Sites Distribute VIRUX and FakeAV
• Gmail Downtime Exposes Ad-Rigged Site
• Cybercrooks Handing Out Malware
• Bogus LinkedIn Profiles Harbor Malicious Content