More than a week after its April 1 deadline, the Conficker C worm released an update that could activate the botnet to deliver spam and turn infected PCs into zombies.

Researchers say that the latest update could include a connection between the Conficker worm to the active spam bot W32.Waledac. Specifically, researchers said they have seen circumstantial evidence that the latest strain of Conficker, known as Downadup E, might drop a Waledac binary on machines infected with Conficker C. That binary is designed to steal information and turn infected PCs into spam-spewing drones under the control of the malware authors, experts say.

“We got a first look at the payload and we’re still looking at this one, a worm or Trojan called Waledac associated with tons of spam,” said Vincent Weafer, vice president of Symantec (NSDQ:SYMC) Security Response. “Ultimately it’s about information stealing.”

More Conficker updates could include widespread distribution of Trojans, keystroke loggers and other malware designed to grab user credentials and steal personal and financial information later down the road, Weafer said. “And then what’s left is a very robust botnet,” he added.

April 1 marked the day the Conficker worm was scheduled to undergo an update that provided a new domain generation algorithm allowing the infected computers to “call home” to about 500 of the 50,000 newly generated domains, possibly for new instructions.

The new strain of the Conficker worm updates machines infected with Conficker C to the new strain, known as Downadup E via peer-to-peer techniques.

Researchers said that they’ve seen a few differentiators from the previous Conficker C.

The updated Conficker prefers to travel through peer-to-peer networks to distribute its new version E. However, researchers say that the new sample doesn’t appear to include new infection vectors that might allow it to propagate faster or onto new machines.

The latest version also incorporates a previously unseen self-removal functionality that is programmed with the ability to eliminate itself from infected hosts on May 3, and reaches out to a new list of high-profile domains.

Before its update April 1, Conficker C was renowned for exhibiting an array of sophisticated self-preservation techniques, which included blocking access to security vendor sites, dodging numerous antivirus products, and disabling Windows automatic updates. In addition, Conficker C has the ability to patch its own vulnerability once it has infected a machine, presumably to prevent competing malware from attacking the same host.

The earliest Conficker variants, Conficker B, and its predecessor Conficker A, had unique abilities to replicate and spread rapidly, infecting millions of PCs with techniques that ranged from brute force password guessing to transmission through USB sticks and peer-to-peer networks. Experts say that the highest rates of infections were found primarily in Latin America and other markets that rely on pirated Windows software, which doesn’t receive security updates.

Meanwhile, the entire upgrade is anticipated to take weeks to months, Weafer said.

“We describe this as step five of a 1,000-step chess match. This is going to go on for a while,” Weafer said. “This is not going to be an overnight upgrade.”

The April Fools Day Special Conficker worm and its variants have been dreaded by computer users across the world for some time now.

Even though it may seem that the virus has been maintaining a low profile for the past few days, security experts warn that the virus is still a threat. In reality, it has already attacked thousands of personal computers in India and nearly 15 million computers globally till date.

So how do you protect your PC from this devastating worm? You can, if you are able to spot whether your PC is infected by it. How do you do that?

Thanks to Joe Stewart, director of malware research at SecureWorks, you can now see if your computer is affected by Conficker with a simple eye test. Stewart came up with a Conficker Eye Chart, which is a simple visual test you can use to evaluate a PC just by surfing to that page and looking at the images.

The images are given below; there is a guide on how to interpret the results.

It couldn’t be simpler!

However, the test doesn’t work if you’re behind a web proxy.

The worm is programmed to update itself from domains it randomly generates. For the latest version, Conficker C, this amounts to nearly 50,000 domains a day. The virus author needs to use only one of these domains to host the update, thus making tracking nearly impossible.

Use the test to check whether your PC is infected with Conficker and take the necessary remedial measures. To read more on Conficker, click here.

April 1 has come and gone, and the Internet has not disintegrated and no major cyber-attacks were reported. But Conficker still remains a threat. Now don’t panic, this doesn’t mean cyber-Armageddon could strike at any minute, it just means you need to make sure your computer is fully updated if it isn’t already. Feel better? Good, then let’s take a look at what’s going on.

Why It Ain’t Over Yet

The Conficker Working Group-which is made up of 27 tech companies and agencies including AOL, F-Secure, Facebook, ICANN, Kaspersky, McAffee, Microsoft, Symantec-says that Conficker, also known as Downup, Downadup, and Kido, is the largest worldwide computer infection since the SQL Slammer in 2003. The CWG estimates anywhere from 3 to 15 million computers are infected worldwide, and says 30 percent of Windows computers across the globe are not updated with the latest patches to protect against Conficker. The virus authors are also still at large and able to communicate with Conficker-although that capability has been significantly reduced.

Problem Spots

As you can see from this map provided by the CWG, Conficker infections in the United States are happening pretty much everywhere you can find an Internet connection. However, despite all that ominous looking red only 6 percent of Conficker infections are in North America. The biggest problem areas are actually concentrated in Asia and South America including Vietnam, Brazil, the Philippines, and Indonesia, as well as Algeria.

The hardest hit areas may also have a correlation to the number of unpatched Windows computers since Asia, Eastern Europe, and South America are areas known to have widespread use of pirated Windows software. Since Microsoft automatically blocks illegitimate copies of Windows from receiving critical updates those computers remain vulnerable to Conficker, thus perpetuating the risk.

What Conficker is Doing

Yesterday, Conficker began its daily exercise of contacting 500 Web sites from a randomly generated list of 50,000 sites. Conficker will continue to do this every day until it receives instructions to do something else. Further instructions could be a simple software update or the infected computers could work as a botnet to commit theft or attack other computer networks. The problem is that while security and IT professionals are working to block Conficker from getting further instructions, they haven’t been able to block all Conficker traffic. So some infected machines have gotten through, but luckily further instructions haven’t been issued, yet. Conficker’s authors may be laying low until publicity surrounding Conficker dies down before contacting their creation.

If Conficker is updated or receives further instructions, that capability could pass between infected machines without further need of a server or Web site, because Conficker uses a peer-to-peer (p2p) protocol to communicate with other infected machines. That’s right, Conficker is file sharing. With p2p the worm can distribute software updates much faster than if every infected machine had to communicate with a main server.

The Final Countdown?

Does this mean the world could still end? Probably not, and that was never the concern with Conficker despite the doomsday scenarios you may have read. The fact is that most security experts believe that Conficker is just a typical botnet worm that can be used for identity theft or to commit other forms of cybercrime. Conficker is most likely controlled by an organized crime syndicate in Asia, Eastern Europe or South America and the group may even rent out Conficker’s capabilities if the botnet every becomes active.

Conficker is only a threat if your computer does not have the latest security patches from Microsoft and an up-to-date antivirus program.

If you need further instructions start here.

For more information about Conficker, check out these articles from PC World:

http://www.pcworld.com/article/162477/conficker_worm_not_finished_yet.html

The U.S. Department of Homeland Security (DHS) announced today the release of a DHS-developed detection tool that can be used by the federal government, commercial vendors, state and local governments, and critical infrastructure owners and operators to scan their networks for the Conficker/Downadup computer worm.

The department’s United States Computer Emergency Readiness Team (US-CERT) developed the tool that assists mission-critical partners in detecting if their networks are infected. The tool has been made available to federal and state partners via the Government Forum of Incident Response and Security Teams (GFIRST) Portal, and to private sector partners through the IT and Communications sector Information Sharing and Analysis Centers (ISACs). Additional outreach to partners will continue in the coming days.

Department cyber experts briefed federal Chief Information Officers and Chief Information Security Officers today, as well as their equivalents in the private sector and state/local government via the ISACs and the National Infrastructure Protection Plan framework.

“While tools have existed for individual users, this is the only free tool – and the most comprehensive one – available for enterprises like federal and state government and private sector networks to determine the extent to which their systems are infected by this worm,” said US-CERT Director Mischel Kwon. ”Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation’s critical networks and systems, both from this threat and all others.”

In addition to the development of this tool, DHS is working closely with private sector and government partners to minimize any impact from the Conficker/Downadup computer worm. This worm can infect Microsoft Windows systems from thumb drives, network share drives, or directly across a corporate network if network servers are not protected by Microsoft’s MS08-067 patch.

US-CERT recommends that Windows Operating Systems users apply Microsoft security patch MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) as quickly as possible to help protect themselves from the worm. This security patch, released in October 2008, is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an infected system and install additional malicious software.

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers.  The presence of an infection may be detected if users are unable to connect to their security solution Web site or if they are unable to download free detection/removal tools.

If an infection is suspected, the system or computer should be removed from the network.  In the case of home users, the computer should be unplugged from the Internet.

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:

Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Home users may also call Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

McAfee:
http://www.mcafee.com/us/threat_center/default.asp

US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch, disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.

In addition, US-CERT recommends that computer users and administrators implement the following preparedness measures to protect themselves against this vulnerability, and also from future vulnerabilities:

• Keep up-to-date on security patches and fixes for your operating system. The easiest way to do this is to set your system to receive automatic updates, which will ensure you automatically receive security updates issued by Microsoft. If your system does not allow automatic updates, we recommend that you manually install the Microsoft security patch today through Microsoft Update at http://update.microsoft.com/microsoftupdate
• Install anti-virus and anti-spyware software and keep them up-to-date
• Enable a firewall which will help block attacks before they can get into your computer

To access the alerts for this vulnerability and for additional information on cyber security tips and practices, please visit www.us-cert.gov.

The Independent on Sunday reported that the worm — known as Downadup, Conficker or Kido — had contaminated 6 million PCs in the past three days alone.

The newspaper said more than 3,000 British organizations, including hospitals and the Ministry of Defense, have received the virus.

Officials in Britain, the United States, Russia, China and India say they are waiting to see what the virus’s effects will be, if anything.

The newspaper reported there is a possibility the virus has no function other than to demonstrate its originator’s skill, but some security experts think it unlikely a worm so sophisticated at this one would have no ulterior purpose.

Tom Gaffney, technical manager of F-Secure, says this could be to capture confidential information, such as online account details and passwords. He said it is likely the worm is a “rootkit,” which gives the virus designer administrative access to remote computers.

© 2009 United Press International, Inc. All Rights Reserved.