Reports have suggested that as many as 10 million PCs have been infected since Conficker first surfaced in October 2008 as a vulnerability in Windows’ remote procedure call (RPC) requests; Microsoft released an out-of-band patch. RPC requests are server-side commands that allow subroutine code to execute on other computers on a shared network. What is unique about the RPC vulnerability that Conficker is exploiting is that subroutines can be executed without programmer interference. This makes an autonomously sustained bug such as Conficker effective because RPC enables a virtually automatic and remote interaction between CPUs in a shared processing environment.
The countering group’s first task, according to Microsoft and Symantec, will be to look at ways to stop the update mechanism of Conficker (whose technical name is W32.Downadup/Conficker.B). The worm updates itself by daily checking a list of as many as 250 network domains for weak passwords, as well as opportunities to regenerate itself on new systems as it updates itself on already infected systems.
The changes in the new strain of the malware, dubbed Conficker B++, make it possible for malware authors to push out new code without publishing it on pre-programmed sites, as with earlier variants. The earlier approach has been frustrated by the recent formation of an alliance led by Microsoft geared up to block and take down sites associated with the worm.
Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker’s authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.
The patch for this exploit was released by Microsoft on October 23 2008, and those Windows PCs that receive automated security updates have not been vulnerable to this exploit. Nevertheless, nearly a month later, in mid-November, Conficker would utilize this exploit to scan and infect millions of unpatched PCs worldwide.
Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches
Reading the article it appears that the new strain does not change the method of attack at all. It rather seeks to overcome the efforts being made to kill it (by attacking its infrastructure needed to support itself once established) in seeking to reduce its dependence on that infrastructure.
Surely this points to all the need to keep up to date with Windows automatic updates as well as the automatic updates of avast.
And … as always … thanks to polonus for pointing us to an interesting discussion.
The person who did this is a genius… A new breed of worm… If only he used his intelligence and programming skills in the name of good, then none of this would have happened, the attacks, infections, etc…
And thanks to you, Polonus, for informing us this new variant of worm…
This is only if you had a previous infection with Conficker B. If you do not have it, how can it update itself then, my dear friend?
And you have the MS patch and the avast web shield, so why are you concerned. You are already secure as secure can be regarding this worm…
This information is only for those poor souls that go around the Internet unprotected, the folks that think an av solution is not needed, and will never install a firewall, because that came with the comp. Folks, that never upgrade or patch, because that is a drag, and the virus will surely hit their neighbor’s machine not them…
If you do not fit in all of these categories you can sleep to-night and snore a bit as well, you are safe!!
The others mentioned should stay awake, but they don’t stir an eyelid to the threats over their heads…
