Conficker Wants Your Cash
True intentions of the Conficker worm become apparent
April 2009
by Robin Wark
Conficker C has kicked into gear, making naysayers feel like belated April fools. The world had braced for the fast-spreading computer worm to contact its creators for further instruction on April 1. When Conficker C didn't drop any "mystery payload," many thought the worm was a hoax, or that it had simply fizzled.
However, starting on about April 7, the Conficker creators began revealing more of their master plan – to make money. That's when the worm began using its peer-to-peer functionality to download new files, including the infamous spam-spewing Waledac software and a fake anti-malware program called SpywareProtect2009.
As well, Conficker has updated itself to an .E variant, which will allow the worm to spread again by taking advantage of a Windows vulnerability. The new version also tries to block more programs designed to remove it and installs a feature that will reportedly have it delete itself on May 3.
One aspect of the Conficker story that still stuns experts is how many computers remain unprotected. You can defend against the worm by installing a patch Microsoft originally created to thwart Gimmev, a data-stealing worm that focused on Asia and Eastern Europe. The patch has been available since October of 2008. However, computer security reports as of April 15show that 11 per cent of computer users still have not installed the Microsoft MS08-067 patch.
It is estimated that Conficker infected up to 15 million computers, with Asia, Europe and South America being the hardest hit. Statistics released by IBM's Internet Security Systems on April 2 showed that four per cent of the Internet Service Providers (ISP) addresses they monitored were infected. The report indicated these findings were higher than the one to two per cent of infected machines IBM experts had expected to find.
The infected computers created a huge botnet. Now, the malware authors are using that botnet to send out mass amounts of email spam. One report calculated a computer was spewing 42,298 messages in 12 hours. While the volume is shocking, what the messages say is pretty typical. They are for pharmaceutical products, mostly erectile dysfunction drugs such as Viagra and Cialis. Typical subject headings include "She will dream of you days and nights!" or "Hot life – our help here. Ensure your potence (sic) today!" The links contained inside the message feature a wide variety of domains, a technique the spammers are using to try to thwart your spam filter.
The Conficker criminals are also trying to cash in with rogue software. Once SpywareProtect2009 is installed on your PC, it will inundate you with messages saying you have viruses or spyware on your computer. Admittedly, if you are infected with Conficker this is true, but SpywareProtect2009 will not remove them. Not even if you take it up on the offer to clean your PC for $49.95.