April 1st came with a big round of noise about the Conficker worm as media sources lit up to discuss what users should expect when Conficker "C" went live. Conficker came to international attention back in January, when F-Secure announced that 8.9 million computers were infected. We wrote about their announcement as well, Downadup / Conflicker Worm: 8? 9? 10 Million Infected?, discussing the interesting situation of "Collision domains". At the time, the infected Conficker nodes would each calculate possible places, based on the current date, where the bad guy may have left instructions to tell the Conficker domains what to do next. A "Collision domain" is a website which is randomly calculated by the conficker machines, but actually already belongs to a real company.
Having 500 possible "mutation vectors" each day turned out to be a threat that was controlled by the security community as various White Hats stepped up to register the domains BEFORE the Conficker authors could use them to control.
The newsworthy event of April 1st was that Conficker had changed, and beginning on April 1st, there would be 50,000 domain in addition to the 500. So, each day there were 50,500 possible places that the criminals could place a message, and the infected computers would go find it. Each infected computer would still only look for updates on 500 of the possible infected computers, but it still meant that when the criminal placed an update on even one domain, a very large number of machines would become infected. How many machines would be infected can be solved using something akin to the classic Birthday problem, and that has already been addressed very nicely in another blog by Dan Nicolescu over at Microsoft's Malware Protection Center. The short answer though is that if the criminals successfully registered even 50 domains, they would successfully update 39.5% of all their infected machines. So, if even 50 of the 50,500 possible domains are put into effect by the criminals on any given day, more than 1/3rd of the Conficker bots have the ability to radically alter their behavior.
At UAB we are monitoring the 50,500 domains and making a list of all of those that actually have been registered. Most days its between 12,000 and 20,000, and the vast majority of those have been registered by "the good guys". That still leaves between 100 and 200 that are not registered by the good guys which need to be checked out to determine if the criminals are using them. In almost every case so far, its been easy to prove that the domains are "real" domains that have a history and have been kept in proper control. I'm not aware of any "Conficker update" domains that have been seen so far, although one funny thing is that at least one domain belonging to a DIFFERENT criminal has come under scrutiny because Conficker named it as a possible update domain.
That doesn't mean the criminals aren't capitalizing on Conficker. One way they are doing so is by praying on the fear that has been spread about Conficker. Here's one example of what we are discussing:
In this email, which claims to be from Microsoft the reader is told he that "Microsoft was notified by your Internet company that your network is showing signs of being infected" and than offers "a free computer checkup in order to clean any files infected by the virus."
The link, which claims to go to a "Microsoft System Safety Scan website" actually takes you to a fake AV download site that looks like this. Despite the look and feel, this really is just a website:
Another interesting thing about the copy that I reviewed from the UAB Spam Data Mine is that the email was received from a computer that was part of the "Amazon Web Services Elastic Compute Cloud". IP address 126.96.36.199 - ec2-79-125-59-137.eu-west-1.compute.amazonaws.com. I'll have to dig into that later to see if we are getting other "cloud computer" generated spam.
The domain names used in these spam messages are all sharing a nameserver called "ns1.mojavetech.com" and include:
The WHOIS data for these domains, which were registered at "ruler-domains.com" is:
150 W Broadway, Mailbox #3
San Diego, 92123
UNITED STATES OF AMERICA
Mr. OffshoreCDN was unavailable for comment at the time this story was filed. The domains were created on March 22, 2009.
WHOIS for the nameserver domain lists:
Company: Mojave Tech Inc.
9701 Wilshire Boulevard
Beverly Hills, California 90210
The nameserver boxes themselves, 188.8.131.52 and 184.108.40.206, have some interesting aliases as well:
and my favorite:
The exact URL in the spam message shown above was:
If you are running an insecure browser, its pretty easy to cause that to download "setup.exe" which is the actual malware.
The good news is that if you do have anti-virus software loaded, there are plenty of products that are detecting this one. The VirusTotal report shows that this malware has been known at VirusTotal since March 31st, and is currently detected by 30 of the 40 anti-virus products it uses to check.
Curiously AVG, F-Prot, and TrendMicro, are currently NOT detecting this malware.
Here's a link to the VirusTotal Report.