Conficker’s latest mutation baffles security experts

10 Apr 2009

A new variant of the Conficker worm has been dubbed Win32/Conficker.AQ by global security software vendor ESET, which warned that the variant appears to be communicating with its own peer-to-peer network.

ESET detected a new variant of Conficker worm that differs to previous versions by one major, yet surprising, feature.

It doesn’t contact any of the control domains, even though it originally operated with up to 50 000 domains a day.

Conficker and the size of its botnet (a network of infected PCs) has attracted a lot of media attention in the past few days.

ESET said the new variant, created on 7 April, communicates only within its own peer-to-peer network.

It comprises of two main components. The server part infects vulnerable PCs in the network, installing the client part. These clients become a part of the Conficker botnet.

There is an interesting feature in the code of the worm that causes the server part to deactivate and remove from the PC after 3 May. However, the botnet will be active even after this date, and Conficker will remain as one of the most prevalent current threats.

“Similarly as previous variants, Win32/Conficker.AQ exploits the Windows MS08-067 vulnerability. Users are therefore advised to keep their systems up to date and protect their PCs with security software,” ESET said in a security note.

By John Kennedy