New Conficker B++ Worm Variant Joins the Infamous Conficker Family

After millions of computers around the world were infected with the Conficker worm, and other Conficker variants such as Conficker.A, Downadup, or Kido, a new Conficker variant has now appeared on the computer security radar called Conficker B++. The latest Conficker B++ variant, called Conficker.C by Microsoft, may pose an even greater threat than previous Conficker variants.

Conficker B++ is very similar to Conficker, Downadup or Kido, in the way that it uses the same algorithm to look for rendezvous points for infection of computers. The difference in Conficker B++, aka Conficker.C, from the previous variants is that it has a new technique to download software where the creators have a greater amount of flexibility on controlling the infected machines.

Conficker B++'s new technique allows bots to pull and verify signed executables from a connected URL which is provided by a remote agent. Another technique of Conficker B++, different from the original Conficker Worm, may not generally work out of the Internet but instead inside a firewall where it uses named pipes to pull these malicious executables.

The implementation of Conficker B++ to potentially avoid use of rendezvous points is an indication that the creators mean to bypass the Conficker Cabal’s methods which helped keep Conficker under control. The Conficker Cabal is an ad hoc group that worked to register and keep unique domain names out of the hands of criminals. Through many of these domain names Conficker would be able to use machines to send spam messages, launch denial of service (DoS) attacks or even log keystrokes which could lead to an accumulation of mass confusion.

At the moment, SRI International, a nonprofit research institute which published an analysis of Conficker and its early variants, says that about 10.5 million computers are infected with variants of Conficker. Now with Conficker B++ on the loose its expected to see this number grow when you factor in Conficker B++ potentially having the capabilities to bypass previous roadblocks that were put in place to put a hold on spreading the prior Conficker variants. It is evident, as explained by SRI International researchers, that the Conficker authors are trying to get around the DNS changes which may limit the distribution of this infection as it did with the previous version of Conficker.