It appears there are interesting developments in the Conficker/Downadup development front. Peter Coogan of Symantec describes here a variant that doesn't appear to be interested in infecting new machines, rather more so in updating and protecting itself on systems already infected with previous variants.
(And, yes, ESET's ThreatSense technology does already detect it heuristically!)
It seems to have two particularly interesting characteristics:
- It continues to attempt to disable security software like sysinternals tools and wireshark by killing processes that contain keywords. Of course, lots of other malware attempts to evade detection by killing security processes, and we noticed Conficker doing the same thing going back at least as far as January, but this retrospective "hardening" of the program's self-protective capability is interesting for reasons I'll come back to shortly.
- The domain name generation algorithm used by the earlier versions, which has been pretty effectively addressed by the industry so far (much credit is due to collaborative work by ICANN, Microsoft and F-Secure, among many others) has been tweaked to generate many more domain names. How successfully this will evades industry countermeasures based on Conficker's attempts to register domains is not altogether clear, but the intent is plain.
As Peter suggests, it looks as if the Conficker authors are particularly interested in keeping their hold on systems that are already compromised. That doesn't mean that other systems won't be targeted, of course. But it does suggest that systems already compromised have by no means been abandoned: furthermore, whatever it is the Conficker gang have been cooking up with a view to making use of those compromised systems is likely to be served up sooner, rather than later.
David Harley
Director of Malware Intelligence
