Downad/Conficker, who’s the April Fool?

A brief outline of the story so far with WORM_DOWNAD and some thoughts about the April 1st “activation date”.

 

 

“This could well be very big, but it will also be very quiet.”

I’m beginning to get a little exercised by many of the verbs I am seeing attached to this malware in recent commentary; words like “virus set to explode”, “erupt”, “blow up” or “will infect 12m computers on April 1st”. I put the following information together to try to clarify exactly what will be “activated” on April the 1st and bring some rationality to the debate.

 

First Variant

In November 2008, Downad/Conficker was seen for the first time. This first variant was the most simple; it spread by exploiting a vulnerability (MS08-67) that was actually patched by Microsoft back in October of 2008. This variant actively avoided infecting systems that were configured to use a Ukrainian keyboard layout or had IP addresses registered to the Ukraine (which may give some clue as to its origins). This original variant, once it had infected a machine would firstly randomly generate IP addresses and use those to search for new victims to infect and then go on to attempt to download some rogue antivirus “scareware” as a one-time event. From that point on, it would generate a daily list of 250 pseudo-random domain names using the top level domain suffixes com, .net, .org, .info, and .biz and attempt to connect out to those servers and download further malicious content.

worm_downad_a1

 

Second Variant

January 2009 saw the second Downad/Conficker variant, which was largely a rewrite of the first; it no longer excluded Ukrainian systems and did not try to download the “scareware” as the first variant did. It also used several more mechanisms through which to spread. In addition to exploiting the Microsoft vulnerability, it also spread by writing to any removable drives plugged into infected systems, any shared network drives currently attached and additionally searched for machines on the same network against which it would attempt a brute force password attack using a list of over 240 predefined common passwords. This second variant also attempted to disable many well known anti-virus programs, blocks access to security related web sites, and disabled key Microsoft security services such as Windows Automatic Update. These additional methods of self-propagation are though to have contributed to the worm’s success at infecting large numbers of machines.

 

This second variant also generates a daily list of 250 domains to try to connect to this time using more top level domain suffixes com, .net, .org, .info, .biz, and adding .ws, .wn and .cc  The domains generated by the two versions do not overlap.

 downad_1

 

Third Variant

In March 2009, a significant third Downad/Conficker variant surfaced. This new version appears to have been spread by an update pushed out to machines previously infected with the second variant. This new version now generates a daily list of 50,000 Internet domain names instead of the 250 generated previously and rather than the 5 or 8 top level domains used by the first two variants, this version uses 110 different top level domains. Only 500 of these generated domains are queried, and only once per day. It is this mechanism that is coded to begin on 1st April, and the sheer numbers of domain names involved render redundant the blocking mechanisms used so far to combat the worm.

 

In addition to this already established HTTP Command & Control infrastructure, this new variant also introduced Peer to Peer communications capabilities between infected hosts, presumably in an effort to get around the security and internet industries attempts to shut down the HTTP connection mechanism.

 

In this third update, the propagation methods present in the first and second variants have been removed and the stance of the infection has shifted to a more defensive one. This signals perhaps that the cybercriminals behind this feel they have infected enough machines to turn this into a “simple” botnet for distributing whichever malicious code they see fit. Remember though, the propagation functionality could just as easily be switched on again as required by the authors.

 

It’s really anyone’s guess what the infected hosts will be used for if the command & control infrastructure goes live on April 1st. Pushing rogue AV? Sending Spam? Carrying out Denial of Service attacks on other servers and Internet infrastructure? Hosting Malware and Phishing sites? Or simply creating a very large asset pool of infected PCs for the owners to rent out for cash? Personally I don’t buy into the mass attack scenario, the motivator for mainstream cybercrime is still cash generation, and “bringing down the Internet” wouldn’t be much of an earner. The people behind this piece of code are very skilled, very well informed and resourced. They have invested much time and effort in the creation of this botnet, and will be aiming to see some return on that investment. Making so much noise that every victim knows they’re infected will have entirely the opposite effect. This could well be very big, but it will also be very quiet.

 

If you believe your system may be infected by Downad/Conficker, then online scanners and tools almost certainly won’t be of any use to you, because the websites will be blocked by the infection. I would recommend you download SysClean, a free tool from Trend Micro to remove any infection.

 

For a great in-depth analysis of Downad/Conficker, please have a look at the Research Paper written by SRI International

15 thoughts on “Downad/Conficker, who’s the April Fool?

  1. Pingback: ICANN TLDs: Get ready for domain name hell - Internet Lawyer Blog

  2. Pingback: 超限戰專家:攻擊伊朗核電廠病毒Stuxnet與其煙幕彈Conficker | 雲端防毒是趨勢

  3. bodo unger

    The writer of the conficker virus is Mario Fiege a German in the Philippines. he is working with glavmed.com.stimul-cash.com , rx-promotion.com , spamit.com. He is pretending to be a russian in the internet while hacking domains,,hijacking forums and sending millions of email spam out of malware ghettos like asian.
    He is using proxyway.com

    Reply
  4. Pingback: 2010 – Year Of The Zombie Cloud? | Business Computing World

  5. Pingback: ReleaseTest » Conficker with 10M victims, April 1 update soon

  6. Pingback: 60 Minutes Conficker and Malware Report | Software News Daily

  7. Pingback: Twitter Trackbacks for Downad/Conficker, who’s the April Fool? » CounterMeasures [trendmicro.eu] on Topsy.com

  8. joey

    okay I also will Say this The Person who made is Is almost 85% sure using a IRC infection meted.. that sends cmds to a irc server.. by the maker … IF its a private IRC then noone can find the orignal maker. of it.. No Matter what.. about the Data sending i don’t think there will be.. maybe Just websites and a few others things to send the virus out to more people but thats about it..

    And also it can be someone also on there pc like me .. typing away there life.. on a computer.. and Using there internet to connect to the victoms but most worms use IRC …. Newer ones.. so Yeah…

    thanks for reading

    joey

    Reply
    1. Rik Ferguson Post author

      Hi Robert,

      Yes, this is absolutely a recurring problem. If you have a machine that is infected, then in most cases it will not be possible to use that particular machine to download repair tools from most domains associated with security. The best course of action is to use a machine that is not infected to make the download, then use some kind of removable media to get the fix tools to the infected machine. Make sure that removable media is write-protected before you put it into the infected machine.

      Reply
  9. Pingback: Latest Antivirus Updates » What Will Go DOWNAD on April 1?

  10. Pingback: What Will Go DOWNAD on April 1?

  11. Pingback: Conficker with 10M victims, April 1 update soon | EC-Comp.com

  12. Pingback: conficker virus

  13. Pingback: Tech Whiz Underground » Cool down on Conflicker panic, say experts

Leave a Reply

Your email address will not be published. Required fields are marked *

*