The Conficker worm, which has enslaved millions of computers worldwide and enraptured the media, finally showed its hand Thursday and proved itself to be all about the money.
An undetermined number of infected machines had been updated with new instructions from the worm’s authors during the past week. The updates were delivered from other infected machines in a peer-to-peer methodology.
The fresh marching orders told the computers to try to convince PC owners to subscribe to a bogus $49.99 antivirus service, SpywareProtect2009, according to Kaspersky Labs and others.
That conformed to researchers’ suspicions, covered by the FT earlier, that the forces behind Conficker were big players in the so-called scareware economy, likely out of Ukraine.
But in a twist, the Conficker nodes also downloaded Waledac, which steals personal information and sends spam. Waledac is often seen as a successor to the Storm virus, and its main function is to send junk e-mail touting knockoff pharmaceuticals and the like.
So the surprise was not that Conficker is profit-driven, or that it is pushing scareware. The surprise is that it is also being used to turn unwitting PCs into spam-spewing zombies, and more fundamentally that the Conficker authors are tied to that facet of the underground cyber-economy as well.
“Traditionally, Waledac has just been a spamming botnet. The scareware/rogueware stuff was, up until now, a separate endeavour. Now it appears all of these are linked,” said Trend Micro analyst Paul Ferguson.
Still unknown: who runs the sites selling SpywareProtect, and whether the clever minds behind Conficker have direct ownership of everything involved or are renting out services to the scareware purveyors, spammers or both.
“This is the first information I’ve seen of Conficker being used for profit,” said researcher Phillip Porras of SRI International. “It’s too early to speculate on whether it’s cooperative subletting or all in the family.”