The evolution of the multi-faceted Conficker worm is expected to take another turn this May 5th when the latest version, Conficker.E, will simply self-destruct on infected machines, say a number of security researchers.
F-Secure, Trend Micro and SecureWorks are among those that believe Conficker.E—first spotted just this April and probably created by the same attackers that since last fall let loose the Conficker.A through Conficker.C variants—has been designed to simply self-detonate on May 5th.
“It will simply self-destruct,” says Mikko Hypponen, chief research officer at F-Secure, pointing out that researchers, who had been arguing over name for variants, agreed to skip past the name “Conficker.D” entirely to settle on the name “Conficker.E.”
But even if Conficker.E does simply self-destruct as expected, that still leaves millions of Windows-based computers around the work infected with Conficker.C, which has become active this month in terms of beginning to try and lure victims to fake anti-virus sites—some dub it “fraudware”—to get victims to pay $50 or so to get rid of Conficker.C.
“We’re starting to see some revenue generation,” said Phillip Porras, program director in the computer sciences laboratory at SRI International, in a presentation he gave today at the RSA Conference here concerning Conficker. “We’re starting to see some business models come out of it.”
Security researchers in industry and government are using various means to monitor Conficker.C behavior
Porras said Conficker.C is involved in an elaborate process to sell fake anti-malware software. When it gets into infected machines, it can direct victims toward Web sites believed to be selling fraudware.
One of those sites appears to be registered in the Ukraine selling the SpywareProtect portfolio, associated with “Ukraine Bastion Trade Group,” for example, he said. But Conficker was not necessarily created by this group and researchers are still in the dark about who originates and controls the complex Conficker command-and-control system.
Despite the efforts of the Conficker Working Group, a group which now has 300 experts from industry and government dedicated to do what they can to identity the source of Conficker and stop it, efforts so far have not been successful.