Conficker Prowls Again, this Time through P2P

by CXOtoday Staff    Apr 14, 2009

April 1 came and went with no signs of the havoc Conficker
was expected to cause. However, the worm is now showing signs of activity again
and security experts have given a new date to watch for May 3.

Around the early part of April, Conficker started using peer-to-peer (P2P)
communication channels to hunt for upgrades, rather than the expected HTTP links.
In this case, the infected host are contacted initially by another host over an
ad-hoc P2P connection. Then, after a period of several hours, the communication
begins again - starting this time from the infected host.

According to McAfee, the communication is done in such a manner that this
traffic (or update) may go unseen - or at least mostly under the radar, by
using fragmented and irregular UDP communication.


So what happens next? When this P2P communication stream
ends, the host is basically told to go to a domain and download a file. The
infected host goes out to an address and an encrypted executable file is
downloaded. Once executed, it could contain malware such as the ever-changing
FakeAlert or even Waledac. Also downloaded as part of the payload, we again
have the MS08-067-like "hot" patch. This time however, it is closer
to the original patch - so as to elude detection.


The Conficker worm has given headaches to CISOs and information
security consultants because of its evolving nature. This latest variant is now
expected to expire on May 3rd, says McAfee, when the worm will
receive a new update. Also, the worm has gotten more efficient. When an infected
host resolves a HTTP rendezvous domain name, it compares the IP resolved with
the list of IPs it already queried, if the new IP is in the list, it will move
on to the next domain in its list.




Related links:

Conficker Lingers, Say Experts
Conficker Author Absconding, as D-Day Nears
PandaLabs: Conficker Worm a Global Menace