Conficker updates botnet with keylogger

Posted by Robert Siciliano on April 9th, 2009

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

It was just a matter of time until Conficker phoned home and sent its next set of updates to its global botnet. That day has come.

Conficker's botnet, which includes anywhere from 3 to 15 million PCs, has a peer to peer (P2P) feature that allows each PC on the network to talk to one another. Each PC has the ability to become the command server. This characteristic allows Conficker to fluidly update each PC on the network.

The latest variant shows that Conficker is updating via P2P, as opposed to pinging a website for its updates. This makes Conficker "self reliant."

A botnet is a robot network of zombie computers under the control of a single leader. The concept behind a botnet is strength in numbers. Botnets can attack websites, send spam, and log data, which can lead to data breaches, credit card fraud and identity theft, and ultimately clog a network until it shuts down.

CNET reports that researchers have observed Conficker making its first update, which they believe to be a keystroke logger, a form of spyware designed to log usernames and passwords. This new update also tells the zombies to seek other PCs that have not been patched with Microsoft's update. The worm also pings websites including MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com in order to determine whether that PC has Internet access.

The Register reports that Conficker is now pinging what's known as a Waledac domain, which contacts a new server if the current one is blacklisted by ISPs for spamming. This allows the virus to download more updates.

In 2007 and 2008, the Storm Worm was thought to have infected over 50 million PCs. Waledac is using the same technology as the Storm Worm, which means two things. First, this may get ugly fast. And second, whoever is controlling Waledac must be the same criminal hackers that built Storm Worm.

All this means that Conficker is about as dangerous as a virus can be, with the best of the best technologies, both old and new. While the virus has yet to strike, it is definitely gearing up.

To protect yourself, be sure you have updated Internet security software, and consider an identity theft protection service.

Identity theft speaker Robert Siciliano discusses criminals using viruses to hack credit cards.

Robert Siciliano is CEO of IDTheftSecurity.com , an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of 2 books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.