 Security researchers say a worm that has infected millions of computers worldwide has been reprogrammed to strengthen its defenses while also trying to attack more machines.
Conficker, which takes advantage of a vulnerability in Microsoft's software, has infected at least 3 million PCs and possibly as many as 12 million, making it into a huge botnet and one of the most severe computer security problems in recent years.
Botnets can be used to send spam
and attack other Web sites, but they need to be able to receive new
instructions. Conficker can do this two ways: it can either try to
visit a Web site and pick up instructions or it can receive a file over its custom-built encrypted P-to-P (Peer-to-Peer) network.
Over
the last day or so, researchers with Websense and Trend Micro said some
PCs infected with Conficker received a binary file over P-to-P.
Conficker's controllers have been hampered by efforts of the security
community to get directions via a Web site, so they are now using the
P-to-P function, said Rik Ferguson, senior security advisor for the
vendor Trend Micro.
The new binary tells Conficker to start
scanning for other computers that haven't patched the Microsoft
vulnerability, Ferguson said. A previous update turned that capability
off, which hinted that Conficker's controllers maybe thought the botnet
had grown too large.
But now, "it certainly indicates they [Conficker's authors] are seeking to control more machines," Ferguson said.
The
new update also tells Conficker to contact MySpace.com, MSN.com,
Ebay.com, CNN.com and AOL.com apparently to confirm that the infected
machine is connected to the Internet, Ferguson said. It also blocks
infected PCs from visiting some Web sites. Previous Conficker versions
wouldn't let people browse to the Web sites of security companies.
In another twist, the binary appears to be programmed to stop running on May 3, which will shut off the new functions, he said.
It's
not the first time Conficker has been coded with time-based
instructions. Computer security experts were bracing for catastrophe on
April 1, when Conficker was scheduled to try to visit 500 of some
50,000 random Web sites generated by an internal algorithm in order to
get new instructions, but the day passed without incident.
Also
worrying is that the new update tells Conficker to contact a domain
that is known to be affiliated with another botnet called Waledec,
Ferguson said. The Waledec botnet grew in a fashion that was similar to
the Storm worm, another large botnet that has now faded but was used to
send spam. It means that perhaps the same group could be linked to all
three botnets, Ferguson said.
Even though Conficker doesn't
appear to have been used yet for malicious purposes, it still remains a
threat, said Carl Leonard, a threat research manager for Websense in
Europe. The P-to-P functionality indicates a level of sophistication,
he said.
"It is evident they've put a lot of effort into
gathering this suite of machines," Leonard said. "They want to protect
their environment and launch these updates in a way they can best
capitalize on them."
Not all computers infected with
Conficker will necessarily get updated quickly. To use the P-to-P
update functionality, a Conficker-infected PC must search for other
infected PCs, a process that isn't immediate, Ferguson.
Given
that security experts differ vastly over how many computers may be
infected with Conficker, it's difficult to say what percentage have the
new update.
Trend Micro and Websense both cautioned their findings are preliminary, as the binary update is still being analyzed.
Although
Microsoft issued an emergency software patch last October, Conficker
has continued to take advantage of those PCs which haven't been
patched. In fact, some variants of the Conficker will actually patch
the vulnerability after the machine is infected so no other malware can
take advantage of it.
| 
