New Conficker activity

Although we have expected a flood of new Conficker samples on 1st April it was only late yesterday that we saw some evidence of a potentially new Conficker variant as well as increased activity inside the Conficker P2P network.

The new sample is an executable file (as opposed to DLL of the previous variants) and we can confirm that its ability to spread by exploiting MS08-067 and by using other usual Conficker spreading methods – USB devices and shared folders. We have published detection for the variant as W32/ConfDr-Gen although the driver component was proactively detected as W32/Confick-D.

Another interesting moment is that the Conficker P2P network may have been instructed to download and install an executable file from a domain traditionally associated with the Waled worm, which may prove the connection between Conficker and Waled and potentially points to a single group behind them.

Users of Sophos Web Security Appliances and other Sophos products will be glad to know that the domain was blocked since January and that the new Waled variant is proactively detected as Mal/WaledPak-A.

SophosLabs researchers are currently analysing the new variant and will update you with the additional details soon.