TrendLabs researcher Ivan Macalintal has this evening discovered a new variant of Downad/Conficker called WORM_DOWNAD.E spreading over the peer-to-peer functionality of the previous version of this now infamous worm.
As well as reactivating the original propogation functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?
Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?
Please read the TrendLabs Malware blog for a detailed breakdown.