As we already mentioned, variant C of Conficker incorporates a sophisticated peer-to-peer mechanism, allowing for payload transfer between infected hosts without any attempt to connect to the famous domain names. This mechanism has been active for several weeks. However, during the last few days, a payload has begun to be distributed through it.

Analysis of this payload is in progress. Below is the first available information regarding the Conficker update itself (which seems to be only a part of the payload):

  • this update is spreading via the MS08-067 vulnerability, like variants A and B (remember that this spreading vector was not present in the original C variant) and opens a listening port. It seems that no other means of propagation have been added.
  • it will stop operating on 05/03/2009
  • it uses the SSDP protocol

Some AV vendors already detect this new variant, such as Trend Micro or ESET.

It seems that the payload is able to download a binary from goodnewsdigital[dot]com, a domain name already known to be adversely used by the Waledac family of viruses.

Faced with this still unclear situation, the best thing to do is to look for machines infected by Conficker.C and disinfect them. This can be done in several ways:

Stay tuned!