New domains and processes blocked by Conficker update

Filed Under: Malware, SophosLabs

Our analysis of the new Conficker variant that first appeared around a day ago is ongoing. We now know that as well as the executable component, an update to the Conficker DLL in the system32 folder is installed. Initial analysis of this DLL component suggests that it is very similar to Conficker.C (detected by Sophos as Mal/Conficker-B) although the lists of websites and programs it blocks have been updated.

Components of the new Conficker variant are detected by Sophos as W32/ConfDr-Gen, W32/Confick-L and Troj/ConfDr-C. This installation process appears to be as follows:

W32/ConfDr-Gen - Drops Troj/ConfDr-C & other functionality, disables itself on 3 May 2009 (analysis ongoing).

Troj/ConfDr-C - Installs W32/Confick-L in system32 folder with same filename used by Conficker.C.

W32/Confick-L - Runs inside svchost -k netsvcs as usual, functionality mainly the same as Conficker.C (analysis ongoing).

Many of the new blocked domains are related to the Conficker network scanning tools. What's more, W32/Confick-L seems to have changed its NetpwPathCanonicalize hook, possibly in an effort to give a more accurate, Windows-like response to the SMB requests made by the scanning tools.

With new entries in bold, the list of processes killed is:

autoruns
avenger
bd_rem
cfremo
confick
downad
dwndp
filemon
gmer
hotfix
kb890
kb958
kido
kill
klwk
mbsa.
mrt.
mrtstub
ms08 (changed from ms08-06)
ms09

procexp
procmon
regmon
scct_
stinger
sysclean
tcpview
unlocker
wireshark

The new list of blocked domain substrings is:

activescan
adware
agnitum
ahnlab
anti-
antivir
arcabit
av-sc
avast
avgate
avira
bdtools
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
confick (changed from conficker)
coresecur
cpsecure
cyber-ta
defender
downad
doxpara
drweb
dslreports
emsisoft
enigma
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
fsecure
gdata
grisoft
hackerwatch
hacksoft
hauri
honey
ikarus
insecure.
iv.cs.uni
jotti
k7computing
kaspersky
kido
malware
mcafee
microsoft
mirage
mitre.
ms-mvp
msftncsi
msmvps
mtc.sri
ncircle
networkassociates
nmap.
nod32
norman
norton
onecare
panda
pctools
precisesecurity
prevx
ptsecurity
qualys
quickheal
removal
rising
rootkit
safety.live
secunia
securecomputing
secureworks
snort
sophos
spamhaus
spyware
staysafe
sunbelt
symantec
technet
tenablese
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate

avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.

,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s