In case you do not know about confiker(a.k.a downup/downadup), it is the most widespread virus till date. It propagates by exploiting a vulnerability in windows. The estimated number of computers that this virus has affected range from 9million to 15million (by different security teams). Microsoft announced $25,000 reward for any information that will lead to finding the creators of this virus but none was successful till now because the code is very obfuscated. See the wikipage for more information on this.
The interesting part is that the malicious action to be performed by this virus is not hardwired into it. First it just spreads and form a big botnet(a network of affected machines). It has the capability to download a payload(action to be performed) later and execute it. It has an interesting way of dowloading the payload. The 'D' variant of this virus generates a pool of 50000 domains everyday and randomly pick 500 of them and look for payload. Many experts believed that this virus will download the payload on 1st of April signifying the April Fools Day, but nothing happened on that day. It really made a fool out of the experts :)
A week after the April Fools Day, this virus seems to be actively downloading payload. It is downloading payload from the Waledac botnet, which is a botnet known for data-theft and spamming. Slashdot is running an article on this which points to this article. Here is one more article about this activity from Trendmicro and one more article from Zdnet.
Update: Cnet has an article where it mentions that this virus installs fake antivirus software which actually installs a trojan downloader. It fakes as if the system is effected with a virus and offers to clean it for $49.99. Funny, isn't it ?
No comments:
Post a Comment