Initial reports stated that the botnet was used to install the trojan/worm Waledac, scareware and fake antivirus software. All of these updates generate revenue for the botmaster of Conficker, through pay per install or “leasing” the botnet to other criminals.

The trend we started to see was MASS SQL injection sourcing from the same Conficker infected peers. The SQL statement involved is typically associated with the user-agent string “NV32ts” often referred to as the NV32ts botnet. Currently the string includes slight variations on the following:

999999 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0