The Conficker botnet has started to use its peer-to-peer communication system to update itself and download scareware (fake anti-virus programs) to millions of infected Windows machines, according to malware hunters tracking the threat.
The latest Conficker mutant comes a week after a heavily-hyped April 1st activation date and provides the first sign of the motivation behind this malware threat — financially motivated cybercrime.
According to my colleague at Kaspersky Lab Alex Gostev, Conficker now has a business model linked to scareware/fraudware, which means that millions of Conficker-infected machines will start getting pop-ups pushing a fake $49.95 security scanner.
One of the files is a rogue anti-virus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido (Conficker), detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.
[ RELATED: There will be no April 1st Conficker outbreak ]
Gostev also found the latest version of Conficker downloading the Waledac e-mail worm onto the infected systems. Waledac is a known botnet linked to data theft and e-mail spam campaigns.
Also see the Techmeme discussion on the latest mutant.