Conficker worm strikes again with fresh strain
B++ tries to climb through Windows
Published: 24 February 2009 08:37 GMT by Ina Fried
Show related articlesA new variant of the Conficker internet worm is circulating that opens up a backdoor that could allow an attacker to distribute malware to infected machines, the US-Cert organisation warned on Monday.
The new Conficker/Downadup worm, dubbed "Conficker B++", uses a new backdoor with "auto-update" functionality, Cert (computer emergency readiness team) said in an advisory.
Microsoft said there is no indication that systems infected with previous variants of Conficker can automatically be re-infected with the new variant, Cert said.
Previous versions of Conficker took action to prevent further exploitation of the vulnerability, Microsoft said in an advisory of its own.
Microsoft said: "We've discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload," which is offering a $250,000 reward to find the creator of the Conficker worm. "The payload only executes if it is successfully validated by the malware. However, there doesn't appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant."
The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October.
Conficker also spreads via removable storage devices like USB drives and network shares by guessing passwords and usernames.
Previous versions of Conficker have been busy. Conficker.A has affected more than 4.7 million IP addresses, while its successor, Conficker.B, has affected 6.7 million IP addresses, with infected hosts totalling fewer than four million computers for both, according to a technical report by SRI International.
Reader Comments (0)