Glaswegian

Researchers are warning that the Conficker worm has been reprogrammed to strengthen its defences and boost its ability to attack more machines.

Conficker takes advantage of a vulnerability in Microsoft's software, and has infected at least 3 million PCs and possibly as many as 12 million, making it into a huge botnet and one of the most severe computer security problems in recent years.

Botnets can be used to send spam and attack other websites, but they need to be able to receive new instructions. Conficker can do this in two ways: it can either try to visit a website and pick up instructions or it can receive a file over its custom-built encrypted P-to-P (Peer-to-Peer) network.

Over the last day or so, researchers with Websense and Trend Micro said some PCs infected with Conficker received a binary file over P-to-P. Conficker's controllers have been hampered by efforts of the security community to get directions via a website, so they are now using the P-to-P function, said Rik Ferguson, senior security advisor for the vendor Trend Micro.

The new binary tells Conficker to start scanning for other computers that haven't patched the Microsoft vulnerability, Ferguson said. A previous update turned that capability off, which hinted that Conficker's controllers maybe thought the botnet had grown too large.

But now, "it certainly indicates they [Conficker's authors] are seeking to control more machines," Ferguson said.

The new update also tells Conficker to contact MySpace.com, MSN.com, Ebay.com, CNN.com and AOL.com apparently to confirm that the infected machine is connected to the Internet, Ferguson said. It also blocks infected PCs from visiting some websites. Previous Conficker versions wouldn't let people browse to the websites of security companies.


http://www.techworld.com/security/ne...&NewsID=114124