New Conficker activity

Filed Under: SophosLabs

Although we have expected a flood of new Conficker samples on 1st April it was only late yesterday that we saw some evidence of a potentially new Conficker variant as well as increased activity inside the Conficker P2P network.

The new sample is an executable file (as opposed to DLL of the previous variants) and we can confirm that its ability to spread by exploiting MS08-067 and by using other usual Conficker spreading methods - USB devices and shared folders. We have published detection for the variant as W32/ConfDr-Gen although the driver component was proactively detected as W32/Confick-D.

Another interesting moment is that the Conficker P2P network may have been instructed to download and install an executable file from a domain traditionally associated with the Waled worm, which may prove the connection between Conficker and Waled and potentially points to a single group behind them.

Users of Sophos Web Security Appliances and other Sophos products will be glad to know that the domain was blocked since January and that the new Waled variant is proactively detected as Mal/WaledPak-A.

SophosLabs researchers are currently analysing the new variant and will update you with the additional details soon.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.