Don DeBolt, Director of Threat Research, CA, has warned that a fresh variant of the Conficker virus is set to attack computers on 1st April, the April Fools Day as well as generate 50,000 URLs on a daily basis, as reported by SCMagazine on March 16, 2009.
CA said that by generating numerous URLs, the virus would disguise to summon users to download instructions online. However, according to the company, it doesn’t know the specificity of these instructions, but it assumes these could relate to downloading more malware or deleting files.
Meanwhile, with two Conficker variants unleashed in the past to infect computers, malware creators are focusing on proliferating the virus to build their botnet. However, with the release of the most recent variant called W32.Downadup.C, its creators are set to strengthen their control over the infected PCs.
This would be possible as version C of the worm typically halts certain security systems and prevents the computers from accessing the security software websites. Various security systems the variant attacks include the widely used tools like Procmon, Wireshark, RegMon and TCPView.
The security researchers state that Conficker has been highly effective for several years, infecting some 9 Million systems around the world, but the threat is yet to make its full impact.
Moreover, the computer security industry succeeded in blocking the expansion of Conficker.B when it effectively reverse-engineered the worm as well as figured out the domains used to register it. Reportedly, when Conficker.A and B variants proliferated, the virus had contacted 32 addresses from a possible 250 each time.
But now with the breakdown of their algorithm, the malware creators have gone beyond revising their selection or randomization code. They have greatly raised both the total domain count the virus would generate and also the number of domains it would randomly choose.
The objective behind this is to prevent the URLs from being shut down at the time of the domain generation and to minimize the non-availability of the computer servers it requires accessing and transmitting data. The threat would also render direct URL blocking and/or filtering processes useless, the experts said.
SPAMfighter News – 19-03-2009