Conficker.C

We've been tracking the Conficker worm since it launched itself into the wild last November; despite the best efforts of security officials worldwide, the worm still hasn't been completely crushed. The original flavor and its nastier follow-up (Conficker.A and Conficker.B) have been locked down, but the worm's creators have a third version (Conficker.C, naturally) prepared to hit the tubes come April 1. The new "C" twist won't have all of the tools "B" used to replicate, but it will be able to detect and kill certain system processes designed to find and remove it.

Ars spoke with Don DeBolt, CA's Director of Threat Research, to get some additional information on Conficker.C, its threat profile, and why the gosh-darned thing isn't dead yet. CA (formerly Computer Associates) has published an extensive guide to Conficker.C, which includes information on its attack vectors, behavioral analysis, and how to tell if the "C" variant of Conficker is running on your system. This last part could pose a challenge—unlike previous versions, C adopts what DeBolt refers to as a "defensive stance" and throws up a number of roadblocks, all of which are aimed at hindering user detection of the worm.

The security industry was collectively able to put the brakes on Conficker.B's expansion when they managed to reverse-engineer the virus and determine which domains it would attempt to register and dial home to on particular dates. With Conficker.A and B, the worm chose to contact 32 addresses out of a possible 250 on any given attempt. With their algorithm broken, the malware authors went a step beyond updating their randomization/selection code—they also vastly increased both the number of domains the worm could generate as well as the number it will randomly select. Conficker.C will select 500 domains out of a randomized pool of 50,000 instead of the previous 32/250.

This will drive up the cost of operating the botnet (we've previously covered how vulnerable malware networks can be to changes in their cost structure) but will also significantly increase the cost of attempting to monitor and prevent botnet registrations, even once the randomizing algorithm has been broken.

Once installed, Conficker.C implements a variety of nasty behaviors. The worm will attempt to disable Windows Automatic Update and stop access to the Windows Security Center, can detect and kill SysInternals' Process Explorer program, and will interfere with the operation of a number of other search-and-destroy programs including WireShark and SysClean.

It will also reset and delete system restore points, disable various services (including WinDefend, BITS (Background Intelligent Transfer Service) ERSvc (Error Reporting Service) and WerSvc (Windows Error Reporting Service, Vista-only). In a final fit of pique, Conficker.C will prevent any attempt to connect to a variety of antivirus software services or websites. This behavior is nothing new to malware in general, but it's the first time we've seen it from our Conf(l)ickt-causing little friend.

The security industry's battle against Conficker is unlikely to resolve this go-round—we'll probably see at least a "D" variant before this is done—but DeBolt believes the coordinated response and organized counter-attack from Team White Hat has dramatically retarded the virus' ability to infect new systems. In the meantime, Romanian researchers from BitDefender have released a tool that should remove Conficker, though it's not clear if this will clean versions A, B, and C, or just the first two.

From : ars technica