Conficker is now once again a worm. Initial analyses suggest it has date-limited functionality until 3rd May 2009.
In addition to downloading updates for itself, Conficker also downloads two new files to infected machines. One is a rogue antivirus application (detected as FraudTool.Win32.SpywareProtect2009.s) that is being spread from sites in Ukraine. Once run the program offers to delete "detected viruses" for a charge of $49.95.
The second file downloaded is the Email-Worm.Win32.Iksmas.atz. This worm is also known as Waledac and steals data and sends spam. Conficker and Iksmas are very similar in construction and the Conficker epidemic was mirrored by an email epidemic of a similar scale caused by Iksmas.
According to Aleks Gostev, head of Kaspersky Lab's Global Research and
Analysis Team, "Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. In just 12 hours, one bot alone sent out 42,298 spam messages. Virtually every email contained a unique domain. This was obviously done to prevent anti-spam filters from detecting the mass mailings using methods that analyze the frequency with which a specific domain is used. Overall, we detected the use of 40,542 third-level domains and 33 second-level domains. Virtually all of these sites are located in China and are registered in the names of various people, most probably invented."
If you run the numbers, one Iksmas bot sends out around 80,000 emails in 24 hours. Assuming that there are about 5 million infected machines on the Internet, the botnet could send out about 400 billion spam messages over a 24-hour period!
You think you have spam problems!
Posts
