Conficker confounds Microsoft cabal

 

Gallery

By Stuart Turton

Posted on 9 Mar 2009 at 10:49

The Conficker worm has been updated by its creators, enabling it to evade the measures implemented by the security companies trying to destroy it.

Unlike the recently discovered Conficker B++ variant, this is not a new strain of the worm but rather an update to the original that is being rolled out across infected machines.

According to Symantec, which spotted the update, this is the first time the creators have sent new orders to the worm, suggesting the recent bounty offered by Microsoft hasn't scared them underground.

Until now Conficker's most interesting trick was to randomly generate 250 possible domains each day that hackers could use to route updates the worm.

This tactic was hampered by a Microsoft-led consortium which cracked the algorithm used to generate this list, so that companies could snap up the domains before the worm. In order to combat this, Conficker C now generates 50,000 URLs.

"These early findings suggest the Conficker authors are now aiming for increasing the longevity of the existing Conficker threat on infected machines," says a posting on the Symantec blog.

"Instead of trying to infect further systems, they seem to be protecting currently infected Conficker machines from antivirus software and remediation."

However, there is a bright spot. According to the company the number of infections appears to have peaked with estimates now in the hundreds of thousands, rather than millions.