A new variant of the Downadup internet worm, also known as Conficker, is circulating, opening up a backdoor that could allow an attacker to distribute malware to infected machines, the US Computer Emergency Readiness Team warned on Monday.
The new Downadup worm, dubbed 'Conficker B++', uses a new backdoor with 'auto-update' functionality, US-CERT said in an advisory.
Microsoft said there is no indication that systems infected with previous variants of Downadup can automatically be reinfected with the new variant.
Previous versions of Downadup took action to prevent further exploitation of the vulnerability, Microsoft said in an advisory of its own.
"We've discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead, it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload," said Microsoft, which is offering a $250,000 (£172,000) reward for information that leads to the arrest and conviction of whoever is responsible for creating Downadup. "The payload only executes if it is successfully validated by the malware. However, there doesn't appear to be an easy way for the authors to upgrade the existing [Downadup] network to the new variant."
Read this
Leader: Learning from the UN's security failure
The UN has found massive flaws in its internal IT security, for reasons that may be all too familiar in the boardroom
The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October.
Downadup also spreads via removable storage devices, like USB drives, and network shares, by guessing passwords and user names.
The previous versions of Downadup have also been busy. Conficker.A has affected more than 4.7 million IP addresses, while its successor, Conficker.B, has affected 6.7 million IP addresses, with infected hosts totalling fewer than four million computers for both, according to a technical report by SRI International.
