Conficker’s raison d’etre? Profit, of Course

More than a week after Conficker’s much-hyped April 1st activation date, the botnet has come to life and is using a P2P communication system to update itself on what is believed to be millions of infected PCs. Along with the update, the worm is downloading scareware known as SpywareProtect2009, according to Alex Gostev of Kaspersky Lab:

One of the files is a rogue anti-virus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido (Conficker), detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.

As is typical with scareware, once SpywareProtect2009 is downloaded, the victim will start seeing the usual popup warning messages asking if they want to “clean and protect” their PC (see screen shot below). Of course, this will cost them $49.95. The criminals will no doubt make millions on these fees alone while amassing a huge database of valid credit card numbers that will likely be sold for additional profit.

Threatpost.com has posted an excellent FAQ and also provides a disinfection tool called KKiller for download.