RealTime IT News

Conficker evolves with new variant


From the 'evolution is not always a good thing' files:

Conficker, the dreaded much-hyped worm that was supposed to trigger 'something' on April 1st but didn't has evolved (again). Multiple anti-virus vendor are now reporting a new variant of Conficker (called WORM_DOWNAD.E by Trend Micro and W32/Confick-D by Sophos).

The new Conficker variant also has an activation date attached to it -- this time it's May 3rd.

According to Trend Micro the new variant runs in random file name and random service name. It also deletes its original download, leaving no traces in the Windows registry. What that means is if you're just looking for a file that say 'conficker' you're not going to find it.

In my opinion, detecting it should be as straight forward as previous Conficker iterations. For one, this version of Conficker opens up (according to Trend Micro) port 5114 to serve as an HTTP server. If you're running a proper firewall setup where you have to authorize inbound and outbound traffic locking down a local PC and/or Windows server to keep that port closed is not a big deal.

As well, like its predecessor so far as I can tell from the current research, it's still exploiting the same Windows flaw which was patched by Microsoft back in October (so just patch your Windows boxes people!).

The real threat here though in my view is that the Conficker author(s) are continuing to evolve the worm to evade detection with the random factor that this new variant includes. In that respect, Conficker is showing itself to be a resilient threat that isn't likely to fade away from the security landscape anytime soon.