David Baxter PhD
Late Founder
Conficker botnet stirs, with a scareware business model
by Ryan Naraine, ZDNet
April 9th, 2009
The Conficker botnet has stirred to life, using its peer-to-peer communication system to update itself and download scareware (fake anti-virus programs) to millions of infected Windows machines.
The Conficker update comes a week after a heavily-hyped April 1st activation date and provides the first sign of the motivation behind this malware threat ? financially motivated cybercrime.
My colleague at Kaspersky Lab, Alex Gostev, has analyzed the latest samples and found the scareware/fraudware association, which means that millions of Conficker-infected machines will start getting pop-ups pushing a fake $49.95 security scanner.
Gostev writes:
Gostev also found the latest version of Conficker downloading the Waledac e-mail worm onto the infected systems. Waledac is a known botnet linked to data theft and e-mail spam campaigns.
Over at Threatpost.com, we?ve prepared a detailed Conficker FAQ and provided a disinfection tool for affected Windows users. Also see the Techmeme discussion on the latest mutant.
by Ryan Naraine, ZDNet
April 9th, 2009
The Conficker botnet has stirred to life, using its peer-to-peer communication system to update itself and download scareware (fake anti-virus programs) to millions of infected Windows machines.
The Conficker update comes a week after a heavily-hyped April 1st activation date and provides the first sign of the motivation behind this malware threat ? financially motivated cybercrime.
My colleague at Kaspersky Lab, Alex Gostev, has analyzed the latest samples and found the scareware/fraudware association, which means that millions of Conficker-infected machines will start getting pop-ups pushing a fake $49.95 security scanner.
Gostev writes:
One of the files is a rogue anti-virus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido (Conficker), detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we?ve got unknown cybercriminals using the same trick.
The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com.
At the moment, the rogue anti-virus comes from sites located in Ukraine, Gostev said. Mozilla Firefox is blocking access to the scareware sites.The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com.
Gostev also found the latest version of Conficker downloading the Waledac e-mail worm onto the infected systems. Waledac is a known botnet linked to data theft and e-mail spam campaigns.
Over at Threatpost.com, we?ve prepared a detailed Conficker FAQ and provided a disinfection tool for affected Windows users. Also see the Techmeme discussion on the latest mutant.
