There have been new developments in the Conficker arena within the past couple of days.  We would like to inform those who are concerned that the MMPC is working to make sure you have the information you need, first to be protected from any threat; and second, to provide you with a full understanding of the threat itself.

There have been primarily two new binaries reported.  We are pleased to inform that Microsoft products such as Windows Live OneCare, Windows Live OneCare safety scanner, and the Forefront family of products were able to detect both of these newly reported binaries with existing signatures, no update required as Worm:Win32/Conficker.D and Worm:Win32/Conficker.gen!A. Specific detections have been added for the new variants as Worm:Win32/Conficker.D and Worm:Win32/Conficker.E.

The first item (MD5: EB0787C5B388C685B406ED46AE077536/SHA1:4887AB470FF4E49BB5F7D01331F3DF16B2BB507B) was a minor change to the existing .D variant(s).  Existing signatures report this variation as Worm:Win32/Conficker.D.  Minor differences found in this variation include:

Additions to the list of programs which will not be able to run on infected systems, programs with these substrings:

bd_rem 
cfremo 
kill 
stinger

In addition, the following domain substrings are blocked:

activescan 
adware 
av-sc 
bdtools 
mitre. 
ms-mvp 
precisesecurity

Of note are a number of security tools and sites that were prominent in the run up to April 1 that are no longer feasible if the prospective user is one who is infected by this version.

To reiterate however, no updates or changes in posture required by anyone who uses Microsoft tools.

The second newly discovered binary, one that is drawing attention in the media as .E (MD5: 677daa8bf951ecce8eae7d7ee0301780/SHA1: 879e553b472242f3ec5a7f9698bb44cad472ff3b), is still being dissected by our malware research lab (and why I can be spared to write this rather than them). Existing signatures report this variation as Worm:Win32/Conficker.gen!A.

At first glance, this variant was considered a variant of .A.  And as fortune would have it, Microsoft products also were able to detect this new variant with existing signatures, no updates required.  However, deeper analysis shows the following (reminder, we are continuing to research this, but the differences are significant enough that we will be designating this new variant as Conficker.E):

With all these differences, it is important to note a very key difference between the .E variant and previous A-D variants.  The .E variant executes simultaneous to the existing Conficker.D already on that infected machine.  So, for instance, not having the code to check URLs for updates is not significant as the machine is already doing that under Conficker.D’s guidance.  Same for the last note about P2P protocol and other such things.

To keep abreast of developments regarding Conficker, please check http://www.microsoft.com/conficker.  As we fill out the details on .E, you will be able to find it here [http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.E].  And if there is other significant or breaking news, we will be back with more information here, on our blog.

Lastly, the press is filling up with conjectures and theories on who and what else is associated with this activity.  There are more layers yet to unravel.  We would like to gather more evidence before commenting on those thoughts.

My thanks to Aaron Putnam, Vincent Tiu, and Cristian Craioveanu as they continue peeling apart the layers of this onion.

-- Jimmy Kuo

PS: My heart-felt wishes for everyone to have a good Friday.