March 17th our notification systems started beeping, as one of the known possible download sites for Conficker (aka Downadup) updates was found to be active and feeding files. The site was obviously fed through a fast-flux system, as we saw it change ip address several times over a relatively short timespan. During this time we were able to download several updates, all of which seem to be copies of a new Conficker version. Initially we believed this to be more copies of the known C variant, but closer inspection revealed this update to be an altogether new variant, with several code changes as well as new data and strings used. For example, the D variant contains an updated list of security applications to kill.
Add comment
If you find the content of this comment offensive, you can report it and our crew will have a look at it
Comments