Conficker Worm Slowly Begins Activity
Just as many computer security experts began to believe it was a fluke, the Conficker virus apparently slowly became active weeks after its expected April 1 launch date.
The worm, which started spreading to millions of computers last year, appears to be turning its infected hosts into servers for e-mail spam, security experts told Reuters.
Analysts have yet to discover the source of the malware, but Vincent Weafer, a vice president with Symantec Security Response said the creators began using infected machines for criminal purposes in recent weeks by installing a second virus, called Waledac onto some computers.
The second virus turns the PC into a botnet that sends out e-mail spam. A third virus, also carried by Conficker, prompts infected PC owners to purchase a fake anti-virus program called Spyware Protect 2009 for $49.95.
If users purchase the fake security system, their credit card information is stolen and the virus downloads additional malware.
Weafer told Reuters that the number of infected machines to actually go active is likely to be relatively small at this point.
"Expect this to be long-term, slowly changing," he said. "It’s not going to be fast, aggressive."
Researchers first believed the virus would become active on April 1, because it was programmed to increase communication attempts from that date forward.
A security task force created by industry experts said they have had some success at crippling the worm by blocking access to servers that control botnet computers.
Earlier this month, researchers from Trend Micro reported that the Conficker system had begun delivering encrypted software to machines that have been infected. The team purposefully implanted the Conficker C worm into machines in order to analyze its activity.
The mysterious update began one week later than experts had expected. The “C” variant of the worm, known as Downed, suggested it was scheduled to begin updating on April 1.
Trend Micro researchers discovered increasing P2P communications from the Conficker peer nodes, believed to be hosted in Korea. The file, found in the Windows Temp folder, was created on April 7, 2009 at 07:41:21 PM, PDT.
—
On the Net: