Conficker Using MySpace, eBay As A Clock
The worldwide computer meltdown culprit that never was, Conficker.C, is back, this time as Conficker.E, and is floating along peer-to-peer to networks with one apparent mission: to check MySpace, eBay and other major sites for the time of day.
Just a week after the April Fools Day hysteria surrounding Conficker.C, most have forgotten and gone on. Security researchers, however, have not, and have noted more activity and a possible connection to the spambot Waledac.
Yesterday, researchers at both TrendMicro and Symantec noticed new activity from a Conficker variant they’ve now labeled Conficker.E. The new variant spreads via peer-to-peer to update machines infected by earlier variants.
The activity they are witnessing also seem fairly benign. Conficker connects to major websites like MySpace, MSN, eBay, CNN, and AOL to get a simple time update.
Whereas the .C variant made burrowed its way into several areas of a computer to disable security communications and removal tools, the .E variant includes a previously unseen self-removal functionality to erase all traces of its presence from the infected host.
Strangely, it will do so on May 3, 2009, giving us yet another date to pay attention to. TrendMicro traced the worm to sources somewhere in Korea, and noted a possible connection to Waledac, one of the world’s most active spambots.
Symantec confirms an apparent connection to Waledac, and suspects Conficker.C was instrumental in distributing Waledac, which “steals sensitive information, turns computers into spam zombies, and establishes back door remote access.
Because Waledac is a reiteration of the famed Storm botnet, researchers also suspect all three pieces of malware are connected, perhaps created by the same cybercriminal source.