Conficker starts spreading spam

 

Gallery

By Reuters

Posted on 27 Apr 2009 at 17:31

The Conficker worm is slowly being activated according to security experts, weeks after being dismissed as a false alarm.

Conficker, also known as Downadup or Kido, is quietly turning thousands of PCs into spambots and installing spyware, they claim.

The worm started spreading late last year, infecting millions of computers and turning them into a giant botnet.

Its unidentified creators started using those machines for criminal purposes in recent weeks by loading more malicious software on to a small percentage of computers under their control, claims Vincent Weafer, a vice president with Symantec Security Response.

"Expect this to be long-term, slowly changing," he says of the worm. "It's not going to be fast, aggressive."

Conficker installs a second virus, known as Waledac, that sends out email spam without knowledge of the PC's owner, along with a fake anti-spyware program, Weafer claims.

The Waledac virus recruits the PCs into a second botnet that has existed for several years and specialises in distributing even more spam.

"This is probably one of the most sophisticated botnets on the planet," says Paul Ferguson, a senior researcher with Trend Micro. "The guys behind this are very professional. They absolutely know what they are doing."

He claims Conficker's authors have likely installed a spam engine and another malicious software program on tens of thousands of computers since 7 April.

The worm will stop distributing the software on infected PCs on 3 May, but more attacks will likely follow.

"We expect to see a different component or a whole new twist to the way this botnet does business," says Ferguson, a member of The Conficker Working Group, an international alliance of companies fighting the worm.

Researchers had feared the network controlled by the Conficker worm might be deployed on 1 April, because it was programmed to increase communication attempts from that date.

The security industry formed the taskforce to fight the worm, bringing widespread attention that experts claim probably scared off the criminals who command the slave computers.

The taskforce initially thwarted the worm using the internet's traffic control system to block access to servers that control the slave PCs.

The Conficker worm is especially tricky because it can evade corporate firewalls by passing from an infected machine on to a USB memory stick, then onto another PC.

The Conficker botnet is one of many such networks controlled by syndicates that authorities believe are based in eastern Europe, Southeast Asia, China and Latin America.