As well as reactivating the original propogation functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?

Please read the TrendLabs Malware blog for a detailed breakdown.

So in anticipation of the “Impending Technological Apocalypse™“. Trend Micro is pleased to bring you a method to outsmart the worm and restore access to those blocked web sites on your infected machines.

1 -In the Start menu, choose Run. (If you cannot see the Run choice in your Start menu you may need to add it. It can be added as follows: Right mouse click the Start button and choose Properties. Hit the Customise button and choose Advanced. In the Start Menu Items section, scroll down until you see the check box for Run Command, check that box as below, and hit OK).

2- Alright, so now you can hit the Start button and choose Run. In the Run window that appears, type cmd as below and hit OK.

3 -In the window that appears, type the command net stop dnscache, and hit Enter, then type exit and hit Enter again. It should appear exactly as show below.

4 – Right, we’re almost done, just a belt-and-braces check to do now. Again click Start and choose Run. This time type services.msc in the Run box and click OK. It brings up a window as shown below

5 – Double-click the DNS Client entry in the list, and if it is not already stopped, hit the Stop button.

Hey presto! You should now be able to access all of those previously blocked sites, of course including the excellent HouseCall for all your cleanup needs.

This service has been brought to you by a large Indian meal, a very long day and a well-known Tennesee Sippin’ Whiskey

As soon as the good news breaks that it is possible to use tools such as the network scanning tool nmap to search for machines infected by Downad/Conficker, then the malicious SEO work starts.

If you need malware removal tools type the URL of your vendor of choice directly into the browser bar and use links on their website. Do not rely on Google search results at this time, as they may have been “optimised”.

Careful what you click on, these Google results are loaded!

According to blogger Dizzy Thinks, the UK Parliament has become the latest institution to fall victim to the spread of Downad/Conficker. In an internal memo, which was subsequently leaked, network users were advised the following:

To: All users connecting directly to the Parliamentary Network

The Parliamentary Network has been affected by a virus known as conficker. This virus affects users by slowing down the Network and by locking out some accounts. We are continuining [sic] to work with our third party partners to manage its removal and we need to act swiftly to clean computers that are infected.

 

We are scanning the Network and if we identify any equipment which we believe is infected with the virus then we will contact you to ensure that the device is either removed from the Network or cleaned and loaded with the correct software to prevent this infection reoccurring.

You can help us to contain this problem and prevent new infection by adhering to the following advice:

• We are unable to clean PCs and portable computers which are either not switched on or which are not authorised devices. We therefore ask that if you are running a PC or portable computer not authorised to be on the Network that you take it off immediately.
• An additional characteristic of this virus is that for some types of files it can skip direct to the Network from a USB memory stick or other portable storage device (e.g. mp3 players) without hitting the virus checker software. We ask that for the time being you do not use memory sticks or any other portable storage devices on the Parliamentary Network.
• If you do identify a problem with the equipment you are running, please contact the PICT Service Desk on 020 xxxx 200x when it reopens on Wednesday 25 March from 8am.
• If you are connecting using one of our remote access services, from a Constituency Office for example, a separate communication will be sent to you.

Director of Parliamentary ICT.

 

This raises several salient questions in my mind…

1- What the expletive are “unauthorised devices” doing on the Parliamentary network in the first place? Of all the organisations in the country you would expect the UK parliament to be using Network Access Control technology to keep the wrong ‘uns out!

2- What kind of anti-malware solution are they running there that allows a worm to “skip direct to the Network from a USB memory stick or other portable storage device (e.g. mp3 players) without hitting the virus checker software” and also, one that doesn’t detect the worm itself?

3- Where’s the port control or DLP solution?Tthe memo itself being made public amply demonstrates (if any proof were needed) that the potential for data leakage exists, and this is Parliament.

4- What kind of message is this “We are unable to clean PCs and portable computers which are not switched on“? Surely this could be interpreted as “We are experiencing an outbreak, please make sure all computers are switched on“. That doesn’t sound like good containment policy to me.

I don’t want this post to be entirely negative though, so, Dear Parliament, if you are having trouble cleaning this up, give us a call we’ll come and do it for nothing.

“This could well be very big, but it will also be very quiet.”

I’m beginning to get a little exercised by many of the verbs I am seeing attached to this malware in recent commentary; words like “virus set to explode”, “erupt”, “blow up” or “will infect 12m computers on April 1st”. I put the following information together to try to clarify exactly what will be “activated” on April the 1st and bring some rationality to the debate.

First Variant

In November 2008, Downad/Conficker was seen for the first time. This first variant was the most simple; it spread by exploiting a vulnerability (MS08-67) that was actually patched by Microsoft back in October of 2008. This variant actively avoided infecting systems that were configured to use a Ukrainian keyboard layout or had IP addresses registered to the Ukraine (which may give some clue as to its origins). This original variant, once it had infected a machine would firstly randomly generate IP addresses and use those to search for new victims to infect and then go on to attempt to download some rogue antivirus “scareware” as a one-time event. From that point on, it would generate a daily list of 250 pseudo-random domain names using the top level domain suffixes com, .net, .org, .info, and .biz and attempt to connect out to those servers and download further malicious content.

Second Variant

January 2009 saw the second Downad/Conficker variant, which was largely a rewrite of the first; it no longer excluded Ukrainian systems and did not try to download the “scareware” as the first variant did. It also used several more mechanisms through which to spread. In addition to exploiting the Microsoft vulnerability, it also spread by writing to any removable drives plugged into infected systems, any shared network drives currently attached and additionally searched for machines on the same network against which it would attempt a brute force password attack using a list of over 240 predefined common passwords. This second variant also attempted to disable many well known anti-virus programs, blocks access to security related web sites, and disabled key Microsoft security services such as Windows Automatic Update. These additional methods of self-propagation are though to have contributed to the worm’s success at infecting large numbers of machines.

This second variant also generates a daily list of 250 domains to try to connect to this time using more top level domain suffixes com, .net, .org, .info, .biz, and adding .ws, .wn and .cc  The domains generated by the two versions do not overlap.

Third Variant

In March 2009, a significant third Downad/Conficker variant surfaced. This new version appears to have been spread by an update pushed out to machines previously infected with the second variant. This new version now generates a daily list of 50,000 Internet domain names instead of the 250 generated previously and rather than the 5 or 8 top level domains used by the first two variants, this version uses 110 different top level domains. Only 500 of these generated domains are queried, and only once per day. It is this mechanism that is coded to begin on 1^st April, and the sheer numbers of domain names involved render redundant the blocking mechanisms used so far to combat the worm.

In addition to this already established HTTP Command & Control infrastructure, this new variant also introduced Peer to Peer communications capabilities between infected hosts, presumably in an effort to get around the security and internet industries attempts to shut down the HTTP connection mechanism.

In this third update, the propagation methods present in the first and second variants have been removed and the stance of the infection has shifted to a more defensive one. This signals perhaps that the cybercriminals behind this feel they have infected enough machines to turn this into a “simple” botnet for distributing whichever malicious code they see fit. Remember though, the propagation functionality could just as easily be switched on again as required by the authors.

It’s really anyone’s guess what the infected hosts will be used for if the command & control infrastructure goes live on April 1st. Pushing rogue AV? Sending Spam? Carrying out Denial of Service attacks on other servers and Internet infrastructure? Hosting Malware and Phishing sites? Or simply creating a very large asset pool of infected PCs for the owners to rent out for cash? Personally I don’t buy into the mass attack scenario, the motivator for mainstream cybercrime is still cash generation, and “bringing down the Internet” wouldn’t be much of an earner. The people behind this piece of code are very skilled, very well informed and resourced. They have invested much time and effort in the creation of this botnet, and will be aiming to see some return on that investment. Making so much noise that every victim knows they’re infected will have entirely the opposite effect. This could well be very big, but it will also be very quiet.

If you believe your system may be infected by Downad/Conficker, then online scanners and tools almost certainly won’t be of any use to you, because the websites will be blocked by the infection. I would recommend you download SysClean, a free tool from Trend Micro to remove any infection.

For a great in-depth analysis of Downad/Conficker, please have a look at the Research Paper written by SRI International