Conficker Ariseth – Rears Ugly Head, Drops Files…
Conficker Comes To Life Again…Time To Suit Up
TrendMicro TrendLabs Security Blogs‘ Ivan Maclintal [an Advanced Threats Researcher at the company], has published discoveries of more Downad/Conficker activity, days after the media hyped April 1st showdown fizzled. This time, active P2P communications along with a payload dropped into the \temp directory on infected Microsoft Corporation [NasdaqGS: MSFT] computers, leads researchers to surmise unabated infections will become even more pernicious [if such a thing is possible]. More information including a short snippet of the original TrendMicro post appears after the jump.
From the TrendMicro TrendLab’s Ivan Macalintal (Advanced Threats Researcher) April 8th Post: “DOWNAD/Conficker Watch: New Variant in The Mix?
Days after the April 1st activation date of Conficker, nothing interesting was seen so far in our Downad/Conficker monitoring system except the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.
Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.
Checking also on traffic captures show that there was no HTTP download that occurred somewhere around that time frame, which was from April 7, 2009 at 07:40:00 up to April 7, 2009 at 07:42:00. However, we noticed a huge encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.
The size of the encrypted TCP blob pretty much matches the size of the binary that got created in the aforementioned folder. There are some additional bytes, which could be the headers and keys that Conficker/Downadup has been known to use.
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:
- (Un)Trigger Date – May 3, 2009, it will stop running
- Runs in random file name and random service name
- Deletes this dropped component afterwards
- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
- Connects to the following sites:
- Myspace.com
- msn.com
- ebay.com
- cnn.com
- aol.com
It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_b.png?x-id=4c61c94d-2d54-4a8e-bfa9-f233654267a6)
