Conficker gets new lease of life

 

Gallery

By Stuart Turton

Posted on 24 Feb 2009 at 10:24

Malware writers have created a new version of the Conficker worm that no longer needs to phone home to download its malware package.

Dubbed Conficker B++, the new strain opens a backdoor on the infected machine allowing hackers to push out updates directly to the worm, without it needing to contact a remote server first.

Or in the words of Microsoft's advisory: "We've discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead, it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload."

This was the unusual tactic of the original Conficker. However it has been frustrated by the Microsoft-led alliance of security companies which is busily taking down sites associated with the worm.

Malware creators have also taken steps to shield Conficker B++ from the patches put in place to fend off its predecessor.

On the bright side, Microsoft claims that there's no easy way for hackers to upgrade the original Conficker to its new and improved brethren, which means it will need to spread from scratch.

Microsoft has a $250,000 bounty out for the Conficker creator. Pick up next month's PC Pro for our investigation into whether the reward is likely to do more harm than good.