• silicon.com
• Technology
• Security

By Elinor Mills, 9 April 2009 16:04

NEWS

The Conficker worm started to update itself on Wednesday via peer-to-peer, and dropped a payload on infected computers, according to Trend Micro.

At the time of writing researchers were analysing the code of the software that had been dropped onto infected computers. The researchers suspected that it was a keystroke logger, or some other data-stealing program, said David Perry, global director of security education at Trend Micro.

Researchers for Trend Micro said that the software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised. The software was heavily encrypted, which made code analysis difficult, the researchers said.

The update appeared to be attempting to access the Waledac domain, according to a post on the TrendLabs Malware Blog on Wednesday. W32.Waledac steals sensitive information, turns computers into spam zombies, and establishes a back door remote access.

The worm also tried to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com, to test if the computer had internet connectivity. It then deleted all traces of itself in the host machine, and was set to shut down on 3 May, according to the TrendLabs Malware Blog.

Infected computers are receiving the new component in a staggered manner rather than all at once, so there should be no disruption to the websites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

A previous variant, Conficker.C, failed to make a splash a week ago despite the fact that it was programmed to activate on 1 April. It has infected between three million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

Security company Symantec said on Thursday that the update was for machines infected with the first variant of the worm, Conficker.A.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security websites.

Tom Espiner from ZDNet UK contributed to this article