New, Stealthy Conficker B++ Worm Discovered

nandemoari writes "A new variant of the Conficker/Downadup worm has been detected. The worm opens a backdoor on an infected machine and allows hackers remote control of infected PCs. Dubbed Conficker B++ (and not to be confused with Conficker B), the new variant of the worm opens a backdoor with auto-update functionality, allowing a hacker to distribute malware to infected machines. It's difficult to know exactly how long Conficker B++ has been circulating, but researchers first noticed it on February 6 of this year." If this seems familiar to you, it probably is.

Detection

[jetsci]

Anyone know the procedure for detecting these? I imagine A/V companies setup 'honeypots' of sorts on high traffic networks and that but how do you detect something new like this? Do they track it through an old signature?

Re:profit motive

[Saint+Aardvark]

You laugh, but that situation is just what F-Secure describes for an unrelated bit of Facebook malware. FTFA:

As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence. It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites. Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic.... They're both.

Re:profit motive

[stevey]

That's not necessarily true - I mean the skills required to exploit a known security hole aren't terribly difficult.

If you're familiar with a small amount of low-level coding you can easily follow cookbook-style tutorials to getting shellcode executed. At that point you're done.

Sure you need to do some disguising, and you need to understand a bit of crypto to setup a key-verification for downloading updates.

But I'd expect there are literally millions of coders still kicking around from the 80s/90s who did assembly programming under MS-DOS who would be able to write that kind of code - and because it isn't really really skilled work the chances are high that a significant proportion of those developers are unemployed.

so if I understand this correctly ....

[nblender]

We (the global 'we') had a chance to stop conflicker before this version came about; by working with the registrars and/or root nameservers; pre-emptively invalidating each of the algorithmically generated domain names on a day by day basis; preventing cornfucker from updating itself or receiving instructions on how to proceed. The authors noticed that we could do that and before we could think of it, modified it so that once we did think of it; it would be too late....

I clearly must not understand the intricacies of this....

My fantasy (because I won't be affected by this) is that once the owners of the botnet are sufficiently happy with their market-share, will instruct cornfucker to encrypt all files on everyone's PC and then wait for the moneh to start rolling in....

Proper naming convention, please

[LordSnooty]

Conficker/Downadup? B? B++? Is it time we had a proper naming scheme for these things? For this instance we've seen several companies getting together to coordinate a response - that's good. But even better, if everyone were to agree on the same name, WE could coordinate our response too.

And what kind of scheme? Well, how about following the convention of the hurricane trackers? 26 names assigned to each major piece of malware that appears throughout the year. This is a double bonus, as ending the practice of using the authors' chosen names might take away some of that bragging aspect. "Oh, you wrote Malware Julie did you?? Bwahaha"