Conficker and Spyware Protect 2009

Trend Micro (Malware Blog) is reporting that the Conficker worm has awakened and received instruction to download malware to the host PC that masquerades as antivirus software, called “Spyware Protect 2009”.


UPDATE: 10:50 PDT, 9 April 2009 (Trend Micro)

Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about — these criminals are motivated by one thing: money.

How was Downad/Conficker helping them meet their goals? It wasn’t. A very large botnet of compromised computers doesn’t make money if it justs “sits there” doing nothing.

So now we saw — as described above — that the Downad/Conficker botnet has awakened, and perhaps their desire to monetizing their efforts is becoming more clear.

In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue AntiVirus  (AV) malware, too.

Conficker is a worm that was crafted to take advantage of a vulnerability in Windows that Microsoft patched back in October 2008.  It has been a hot topic, not only in the tech world, but with everyday users.  If you maintained your updates, then you are sufficiently protected.  The PC’s  that are still infected (which were in the millions), have become part of the Conficker botnet, that work together as a group (network) to periodically communicate with its’ source to acquire instructions and wreak havoc, such as downloading and installing “Spyware Protect 2009”.  In this case the malicious software displays a warning messages saying that the computer is infected and offering to clean it up for $49.95.  If you are infected, shut down your PC and consult with your IT guru for removal.

In essence what is being seen is that Conficker is finally showing its’ true colors by activating itself to aid the creators of this worm (cybercriminals) in duping people out of money. There is also evidence that Conficker has downloaded another, separate worm called Waledac onto the infected systems. Waledac is a known botnet linked to data theft and email spam campaigns.  If you start seeing popups advocating “Spyware Protect 2009” and you find that you are being blocked from legitimate security sites, then you are infected.  Another sign is that your automatic updates or other security services on your PC will become disabled.

Some standalone removal tools for Conficker:

Eset Win32/Conficker Worm Removal Tool – [ Download ]

McAfee AVERT W32/Conficker Stinger – [ Download ]

Sophos Conficker Cleanup Tool (Stand-Alone Computer) -[ Download ]

Symantec W32.Downadup Removal Tool – [ Download ]

Norman Malware Cleaner – [ Download ]

After the PC is clean, I suggest you download and run:

Malwarebytes Anti-Malware – [ Download ]

SuperAntiSpyware – [ Download ]


Bookmark and Share


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by

Up ↑

%d bloggers like this: