Conficker E Awakens: Uses Mystery Payload, Waledac

Dennis Faas's picture

It's been over a week now since the April Fool's Conficker debacle passed without any noticeable disaster. However, the threat itself is still very present, and researchers are now finding out exactly what the motivation is for a future attack: cash.

It would seem that if one stumbled upon a mysterious, universal hacker rulebook there would be two major motivations for their craft: 1) anarchy/destruction and 2) money. Researchers studying Conficker's spread are finding that, surprisingly, the worm might be more about the latter than previously thought. (Source:

Conficker E: New and Improved with Waledac

As of April 7th, 2009, reports that the latest Conficker E variant downloads and installs the Waledac worm.

Earlier this week the Conficker worm used infected systems to transmit updates through p2p technology (file sharing) and dropped a "mystery payload." Security experts believe that the payload program may record key strokes, generate spam from an infected machine, or both. (Source:

Researchers theorize that Conficker, like Waledac, may be all about ripping people off. "I'm pretty certain the same people are behind both of them," remarked Trend Micro researcher Paul Ferguson. "Conficker has got their (Waledac creators') fingerprints all over it."

Botnet For Profit

Granted, there are some differences between Waledac and Conficker. The former used a lot of infectious web links sent out through email spam, many of them masquerading as holiday greeting cards. Thus far, Conficker hasn't been so blatant.

Ferguson, however, believes that the guys behind Waledac may have simply evolved their approach. Both, he suspects, are probably operating from behind the old Iron Curtain.

Symantec Security Response VP agrees with Ferguson, adding that Conficker's recent activity reconfirms his belief "that ultimately this is a large botnet designed to make money... It's the first example of how these guys are trying to leverage this botnet for profit."

Rate this article: 
No votes yet