New Conficker Variant Discovers by Bitdefender
July 11, 2009 by admin_denz · Leave a Comment
Bitdefender a malware researchers from anti-virus vendor have identified a new variant of the infamous Conficker worm. Its analysis has revealed an improved obfuscation layer and additional blocked strings. This conficker is also known as Downadup or Kido, one of the most complex and well-written pieces of malware that security researchers have seen in recent years. The original variant, Conficker.A, appeared back in November 2008, soon after Microsoft broke its patch cycle in order to release MS08-067, a fix for the critical remote code execution vulnerability in the Services service that the worm exploits in order to spread.
The company announced that they identified a new variant but details were scarce, as it was still being analyzed. According to them, the analysts got suspicious after a customer reported that he could not access www.bdtools.net, the website used by Bitdefender to host free removal tools, from his computer infected with Conficker. This was particularly interesting, because the domain name was not amongst the ones blocked by the known variants of the worm. After securing a sample and analyzing it, the researchers concluded that they were dealing with a new version.
Even though it does not bring radical changes, like Conficker.B or Conficker.C do, this variation has an extended blacklist. The newly added strings, used by the worm to block access to domains or executables containing them, are: precisesecurity, ms-mvp, mitre, enigma, bdtools, av-sc, adware, activescan, stinger, kill, cfremo and bd_rem. Downadup also features two layers of obfuscation to prevent analysis and detection.
This new version has actually been in circulation since around March 18th, but pretty much passed unobserved, Bitdefender Company says. It is currently detected as Win32.Worm.Downadup.Gen, under a generic routine able to identify any known variant of Conficker. The users who cannot access the www.bdtools.net website in order to obtain Bitdefender’s free Conficker removal tool can download it from this secure servers. And, for those people having trouble executing the tool on infected computers, should rename it to something random and try again.