A brief outline of the story so far with WORM_DOWNAD and some thoughts about the April 1st “activation date”.

“This could well be very big, but it will also be very quiet.”

I’m beginning to get a little exercised by many of the verbs I am seeing attached to this malware in recent commentary; words like “virus set to explode”, “erupt”, “blow up” or “will infect 12m computers on April 1st”. I put the following information together to try to clarify exactly what will be “activated” on April the 1st and bring some rationality to the debate.

First Variant

In November 2008, Downad/Conficker was seen for the first time. This first variant was the most simple; it spread by exploiting a vulnerability (MS08-67) that was actually patched by Microsoft back in October of 2008. This variant actively avoided infecting systems that were configured to use a Ukrainian keyboard layout or had IP addresses registered to the Ukraine (which may give some clue as to its origins). This original variant, once it had infected a machine would firstly randomly generate IP addresses and use those to search for new victims to infect and then go on to attempt to download some rogue antivirus “scareware” as a one-time event. From that point on, it would generate a daily list of 250 pseudo-random domain names using the top level domain suffixes com, .net, .org, .info, and .biz and attempt to connect out to those servers and download further malicious content.

Second Variant

January 2009 saw the second Downad/Conficker variant, which was largely a rewrite of the first; it no longer excluded Ukrainian systems and did not try to download the “scareware” as the first variant did. It also used several more mechanisms through which to spread. In addition to exploiting the Microsoft vulnerability, it also spread by writing to any removable drives plugged into infected systems, any shared network drives currently attached and additionally searched for machines on the same network against which it would attempt a brute force password attack using a list of over 240 predefined common passwords. This second variant also attempted to disable many well known anti-virus programs, blocks access to security related web sites, and disabled key Microsoft security services such as Windows Automatic Update. These additional methods of self-propagation are though to have contributed to the worm’s success at infecting large numbers of machines.

This second variant also generates a daily list of 250 domains to try to connect to this time using more top level domain suffixes com, .net, .org, .info, .biz, and adding .ws, .wn and .cc  The domains generated by the two versions do not overlap.

Third Variant

In March 2009, a significant third Downad/Conficker variant surfaced. This new version appears to have been spread by an update pushed out to machines previously infected with the second variant. This new version now generates a daily list of 50,000 Internet domain names instead of the 250 generated previously and rather than the 5 or 8 top level domains used by the first two variants, this version uses 110 different top level domains. Only 500 of these generated domains are queried, and only once per day. It is this mechanism that is coded to begin on 1^st April, and the sheer numbers of domain names involved render redundant the blocking mechanisms used so far to combat the worm.

In addition to this already established HTTP Command & Control infrastructure, this new variant also introduced Peer to Peer communications capabilities between infected hosts, presumably in an effort to get around the security and internet industries attempts to shut down the HTTP connection mechanism.

In this third update, the propagation methods present in the first and second variants have been removed and the stance of the infection has shifted to a more defensive one. This signals perhaps that the cybercriminals behind this feel they have infected enough machines to turn this into a “simple” botnet for distributing whichever malicious code they see fit. Remember though, the propagation functionality could just as easily be switched on again as required by the authors.

It’s really anyone’s guess what the infected hosts will be used for if the command & control infrastructure goes live on April 1st. Pushing rogue AV? Sending Spam? Carrying out Denial of Service attacks on other servers and Internet infrastructure? Hosting Malware and Phishing sites? Or simply creating a very large asset pool of infected PCs for the owners to rent out for cash? Personally I don’t buy into the mass attack scenario, the motivator for mainstream cybercrime is still cash generation, and “bringing down the Internet” wouldn’t be much of an earner. The people behind this piece of code are very skilled, very well informed and resourced. They have invested much time and effort in the creation of this botnet, and will be aiming to see some return on that investment. Making so much noise that every victim knows they’re infected will have entirely the opposite effect. This could well be very big, but it will also be very quiet.

If you believe your system may be infected by Downad/Conficker, then online scanners and tools almost certainly won’t be of any use to you, because the websites will be blocked by the infection. I would recommend you download SysClean, a free tool from Trend Micro to remove any infection.

For a great in-depth analysis of Downad/Conficker, please have a look at the Research Paper written by SRI International