New Conficker Variant Increases Its Flexibility 120
CWmike writes "Criminals behind the widespread Conficker worm have released a new version that could signal a major shift in the way the malware operates. The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines."
Readable link (Score:3, Informative)
Ps. Just because there is a "Slashdot this article with maximum clutter" button, you don't have to inherently click on it.
Re:This is slashdot right? (Score:5, Informative)
Because the article doesn't have any technical detail either.
Well, the second linked-to article (the one by SRI) is chock full of technical details; and it's an interesting read.
Re:This is slashdot right? (Score:5, Informative)
In short bot herders can now push updates to infected machines rather than relying on the infected machine to seek out and download updates.
Some quotes:
"a more efficient push-based updating service"
"the ability to accept and validate remotely submitted URLs and Win32 binaries, could signal a significant shift in the strategies used by Conficker's authors to upload and interact with their drones."
"comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. "
"out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added. "
"Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach."
"Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host. "
Re:Well, if you have deep pockets... (Score:4, Informative)
It was patched a long time ago - last October [theregister.co.uk], to be precise.