Kaspersky Lab has detected a new version of the malicious program Kido, also known as Conficker.
Between 8 and 9 April, computers infected with Conficker contacted each other over P2P, telling infected machines to download new malicious files, and activate the Kido botnet, says the company.
According to Alex Gostev, head of Kaspersky Lab's global research and analysis team, the variant is significantly different from prior variants, as the malicious software is once again in the form of a worm. “Initial analyses suggest it has date-limited functionality until 3 May this year.”
Besides downloading updates for itself, Conficker also downloads two new files to infected machines, Gostev says. The one is a rogue anti-virus application (detected as FraudTool.Win32.SpywareProtect2009.s) that is being spread from Ukraine-based sites. When the application runs, the program offers to delete “detected viruses” for a charge of $49.95.
He says the other file, which Conficker downloads to infected systems, is Email-Worm.Win32.Iksmas.atz. Also dubbed Waledac, the worm is able to steal data and send spam. “When this malicious program was first detected in January 2009, a lot of IT experts noted the similarity between Conficker and Iksmas. The Conficker epidemic was mirrored by an e-mail epidemic of a similar scale caused by Iksmas.”
One Iksmas bot sends out about 80 000 e-mails in a 24-hour period. “Assuming that there are five million infected machines out there, the botnet could send out about 400 billion spam messages over 24 hours,” he explains.
Over a 12-hour period, Iksmas connected to its control centres around the globe a number of times, and received commands to send out spam mailings. In just 12 hours, one bot alone sent out 42 298 spam messages. “Virtually every e-mail contained a unique domain.”
Gostev says the intention behind this was to prevent anti-spam filters from detecting the mass mailings using methods that analyse the frequency with which a specific domain is used. “Overall, Kaspersky detected the use of 40 542 third-level domains and 33 second-level domains. Virtually all of these sites are located in China and are registered in the names of various people, most probably invented.”
Other threats
However, despite the new variant being discovered, McAfee is warning PC users that there are far more dangerous threats lurking online than Conficker.
Barry McPherson, senior VP of worldwide support at McAfee, says: "It is important that computer users don't get complacent [with their security]. They should keep their PCs secured by applying security patches and running up-to-date security software that should, at a minimum, include anti-malware and a two-way firewall."
According to McAfee, in the days leading up to 1 April, when Conficker was supposed to activate, McAfee's Web site visits spiked 50% and support calls jumped 40% due to mounting fears about the potential harm that Conficker could do.
Though 1 April passed without incident, Conficker and many other threats make the rounds on the Internet every day. McAfee Avert Labs identified a record 1.6 million pieces of malware in 2008 - this is a 450% increase compared to the previous year. McAfee identifies an average of 5 500 new pieces of malware every day.
Share