If you just got here looking for my blog on Conficker and "blended hoaxes", I’m afraid I just pulled it (temporarily at least) in the light of new data that’s come in since last night: I don’t want to mislead anyone, as it seems that the new Conficker stuff is a lot more active and interesting than it appeared on preliminary analysis.
The most interesting and surprising new feature is that doesn’t contact any of the control domains, even though it originally operated with up to 50 000 domains a day. The new variant, which we call Win32/Conficker.AQ, communicates only within its own peer-to-peer network.
It seems likely that the Conficker gang are trying to throw us off because of the media attention and close analysis by the security industry: I imagine that all the fuss has made it difficult for them to run it as originally intended.
The new variant has two main components. The server component infects vulnerable PC’s in the network using the same vulnerability described in MS08-067 (you did update, didn’t you?), installing the client component so as to recruit them into the Conficker botnet. However, the server component will deactive and remove itself after May 3rd, though the client will remain active.
Conficker’s botnet is already larger than most, but it looks to me as if the gang are back trying to grow it. I still don’t think it’s going to do “enormous harm” in terms of a monster attack: that isn’t likely to be cost effective for the botmasters.
What they are doing right now, I’d say, is adapting to compensate for the fact that Conficker has been rather heavily analysed, and to make it harder for us to forestall them on the basis of previous analyses.
More info shortly.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence