Conficker becomes a more flexible worm

February 23, 2009 – 1:05 PM

It seems that the authors of the Conficker worm for Windows are continually updating their malware. In their current analyses, researchers at SRI International have found that the current Conficker variants B and B++ are decidedly more flexible than their predecessors in downloading further components and new versions.

The first version of the worm used an easily predictable method for choosing contact domains. In response, Microsoft and ICANN tried to either gain control of these domains, or shut them down. The next version, B, used a different method to establish the domains for its contact attempts. In also did not have the “suicide switch” that was enabled in version A if the worm detected a Ukrainian keyboard layout.

The most recent variant of the malware, Conficker B++, can not only download DLLs, but also entire arbitrary programs; this extends the botnet operators’ scope for further activity. In addition to the download feature, this version also contains a back door, which can be used to actively and remotely inject additional components, or new versions.


You must be logged in to post a comment.