![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
PC Magazine, ITWeb and the Register are all reporting that Conficker is actively downloading updates via P2P. The Register, at least, is calling the new variant Conficker-E. According to Trend Micro and Kaspersky Labs, the new version is also talking to servers known to be associated with Waledec malware and the Storm botnet, possibly downloading further code or content from them. There’s still no evidence that the botnet is actually doing anything except update itself, though there is “circumstantial evidence” that it may be distributing the W32.Waledec trojan, which “steals sensitive information, turns computers into spam zombies, and establishes a back door remote access”, but is already well known to most antivirus software.
The really interesting development, according to Trend Micro, is that the current version of the worm apparently includes new code to clean itself up and delete itself from infected hosts on May 3.
I previously speculated that Conficker’s expanded host polling that began April 1 was a red herring, misdirection to distract attention from what it was really doing. It appears possible that was the case — or possibly the Conficker authors simply laid low and cancelled that planned update route to avoid exposing themselves. Now, seeing the reports of scheduled self-removal after allowing adequate time for the removal code to propagate to the entire botnet, I find myself wondering: What if the whole purpose of the current Conficker infection is simply a proof-of-concept — a “dry run”, as it were?