We’ve been getting questions from some of our customers about a new sample of Win32/Conficker, dubbed by some as Conficker.B++. We’re aware of this sample and our definitions already detect this sample as Worm:Win32/Conficker.B, but given the new functionality described in this blog post, we’re updating our definitions as of 1.51.856.0 to distinguish it as Worm:Win32/Conficker.C. Future versions of the MSRT will detect this sample as Worm:Win32/Conficker.C while the MSRT which was released earlier this month detects it as Worm:Win32/Conficker.B.

The new sample has modifications which introduce new backdoor functionality. Previous versions of Conficker patched netapi32.dll in memory to prevent further exploitation of the vulnerability addressed by bulletin MS08-067. We’ve discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload. The payload only executes if it is successfully validated by the malware. However, there doesn’t appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant.

This change may allow the author to distribute malware to machines infected with this new variant. This might be a response to the fact that they no longer have the ability to register many of the Conficker domains. For our fellow researchers who may be trying to locate a sample, one such SHA1 is 0e24424f5dfbe391e2e834e7f22c758a63eab6ba. However, note that this is a polymorphic threat.

Thanks to our researchers Cristian Craioveanu, Dan Kurc, and Vincent Tiu for investigating this threat.

--Tareq Saade & Ziv Mador