Most of us know why Conficker Worm was named CONFICKER but for those who don’t know why the name CONFICKER was chosen for this Worm, here is a little information.
The name of this Worm was kept as Con-Fic-K-Er because the Reversers who were analyzing this Worm’s first variant (W32/Conficker.A) found the presence of a string called “trafficconverter .biz”. The name of this Worm was taken fro this string by rearranging portions of this string.
Trafficconverter .biz = Traf+FIC + CON+Vert+ER = Con+Fic+”K”+Er = CONFICKER
The purpose of “trafficconverter .biz”, which later became “traffic-converter .biz” and “trafficconverter2 .biz”, was to increase affiliates so that the already existing misleading applications or better known as Rogue Applications can be installed in more and more systems around the world. A quote from “trafficconverter .biz” about the affiliate program is below:
What is Traffic Converter?
Traffic Converter is affiliate program that helps webmasters to convert their traffic into cash.
How it works?
We are selling popular antispyware and security software products to surfers which you send to us. You receive $30 for each sale of our products.
Why does it work so good?
With our direct-marketing approach, aggressive promotion materials and advanced software products you can earn much more than with other affiliate or advertising programs.
The owners of “trafficconverter .biz” were very much involved in spreading these misleading applications or commonly known as Rogue AntiSpyware. Even the Conficker.A variant also attempted to download a payload from their domain. However, this variant was never able to download the payload file hxxp://trafficconverter .biz/4vir/antispyware/loadadv.exe because the “trafficconverter.biz” domain was shut down as an early response to the Conficker Threat.
Also, mentioned below is the WhoIs detail of the “trafficconverter .biz” domain:
Domain Name: TRAFFICCONVERTER .BIZ
Domain ID: D22305317-BIZ
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY .COM
Registrant Name: Daniel Adams
Registrant Organization: eosads
Registrant Address1:
Registrant Postal Code: W1D 3AF
Registrant Country:
Registrant Country Code: GB
Registrant Phone Number: +41.225349854
Registrant Email: ddarkmaster@gmail .com
Last Transferred Date: Mon Dec 01
Status: SUSPENDED (This Domain Name is Suspended)
The “trafficconverter .biz” domain operated along with various sister domains viz.
Domain Name: XPANTIVIRUS .COM
Registrant: VerifiedSofts
John Davidson ddarkmaster@gmail .com
London.Barnet str. 12/22
Tel. +44.7917722025
Creation Date:
Expiration Date:
Status: SUSPENDED (This Domain Name is Suspended)
Domain Name: ANTISPYGUARD .COM
Registrant: Verified Software
Victor Temchenko verifiedsoftware@gmail .com
Geroev Truda 68 - 136
Tel. +38.0638550739
Creation Date:
Expiration Date:
Status: SUSPENDED (This Domain Name is Suspended)
Domain Name: ANTIVIRUS2009ONLINE .COM
Registrant: eosads
Daniel Adams ddarkmaster@gmai l.com
Tel. +41.225349854
Creation Date:
Expiration Date:
Status: SUSPENDED (This Domain Name is Suspended)
Domain Name: TRAFFIC-CONVERTER .BIZ
Sponsoring Registrar: ENOM, INC.
Registrant ID: DI_8661402
Registrant Name: John Davidson
Registrant Organization: VerifiedSofts
Registrant Address1: London
Registrant Postal Code: 12012
Registrant Country: UNITED KINGDOM
Registrant Country Code: GB
Registrant Phone Number: +44.7917722025
Registrant Email: ddarkmaster@gmail .com
Refer to McAfee Site Advisor’s details about the online affiliations for “traffic-converter .biz”:
Domain Name: TRAFFICCONVERTER2 .BIZ
Domain ID: D28746672-BIZ
Domain Status: OK
Registrant ID: 43249773
Registrant Name: Privat person
Registrant Organization: Privat person
Registrant Address1: Rue la produit 34
Registrant Postal Code: 13004
Registrant Country:
Registrant Phone Number: +1.33491858954
Registrant Facsimile Number: +1.33491858954
Registrant Email: adultblogz7@yahoo .com
Billing Contact ID: 17289307
Billing Contact Name: XiaMen BizCn Computer & NetWork CO.,Ltd
Billing Contact Address1: 1F - 4F,
Billing Contact Address2: Software Technology Service Builing,
Billing Contact Postal Code: 361004
Billing Contact Country:
Billing Contact Phone Number: +1.865922577
Billing Contact Email: domain@bizcn .com
Domain Registration Date: Mon Dec 15
Domain Expiration Date: Mon Dec 14
Soon after “trafficconverter .biz” was taken down, the owners came back with a domain “trafficconverter2. biz”. However, they again went down saying that their payment processor had blocked them. Further to plead “Not Guilty” they issued a notice that they had no connection with the Conficker Mayhem. Read the disclaimer below:
This is absolutely unprecedented case when two of the largest payment system called the requirement to block the Merchant. We also have a reason to believe that the situation was caused by the recent publication about us and our products in Washington Post:
http://voices.washingtonpost.com/securityfix
There are, as you can see, some very serious accusations. Including the relation to Conficker, which we actually are not implicated with (and can prove it if necessary).
As a result of this situation:
- No money to pay;
- No capacity to process products (not because we're not working, but because this volume is not endure any processor)
- There is a chance to get ourselves under prosecution and let down Webmasters.
So, the decision was made to default and shut down the Traffic Converter. In case we resolve this issue and manage to refund the money from the bank, we will pay you off all debts as quickly as possible.
If we manage to get the stable traffic conversions we have demonstrated during the year and a half, we will contact you on individual basis.
Thanks to everyone for succesful business cooperation.
These sites are instrumental in distributing Rogue Applications and once a system is infected, they would go to every possible extent to apply the scare tactics and fooling the users to cough out money for applications that are anything but Security Softwares. These rogue applications can also inject code into the search results of Google or the homepage of Google itself (this means that the client system from where we are doing the search or opening the Google homepage is infected). Refer to the screen below:
For more information about these Rogue AntiSpyware Applications refer to the below article:
http://www.malwareinfo.org/files/RogueAntiSpyware.pdf
