New Conficker B++ Worm Discovered, More Stealth

Dennis Faas's picture

A new variant of the Conficker/Downadup worm has been detected. The worm  opens a backdoor on an infected machine and allows hackers remote control of infected PCs.

Dubbed Conficker B++ (and not to be confused with Conficker B), the new variant of the worm opens a backdoor with auto-update functionality, allowing a hacker to distribute malware to infected machines.

It's difficult to know exactly how long Conficker B++ has been circulating, but researchers first noticed it on February 6 of this year. (Source:

10.5 Million Computers Infected

Machines infected by the Conficker/Downadup worm can be used to send spam, to log keystrokes or to launch denial of service (DoS) attacks, but reports suggest that for the most part, that has not been happening.

The worm spreads by exploiting a dangerous Windows bug to attack computers on a local area network and by USB devices. According to SRI International research, about 10.5 million computers have been infected with variants of Conficker. (Source:

The Technical Analysis

Conficker B++ is no longer limited to re-infection by similarly structured DLL files, but can now be pushed in new self-contained Win32 (executable) applications. These executables can infiltrate the host using methods that are not detected by the latest anti-Conficker security applications. (Source:

Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet rendezvous points, increasing the flexibility of the direct flash mechanisms which offer the ability to load digitally-signed Win32 executables directly to a Conficker host.

Microsoft Security Bulletin MS08-067 Patches Flaw

The Conficker/Downadup worm has been able to proliferate widely because many PC users have not applied the patch supplied by Microsoft. Security Bulletin MS08-067 from Microsoft patches the Windows flaw. Information that will help you find out if your computer is infected and how to fix it is available from Microsoft. (Source:

Detailed information on all variants of the Conficker/Downadup worm can be found from SRI International Research.

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet