Conficker/Downup/Downadup/Kido malware, Symantec writes in the first edition of The Downadup Codex, “is, to date, one of the most complex worms in the history of malicious code“. At first spread through a flaw within the Windows Server service, the threat has grown immensely because of a combination of elements that facilitated its diffusion and drove the IT industry to unite in the attempt to block its further proliferation.

Even if the botnet continues to be silent, with no apparent malicious action ordered by the worms creator, network infrastructures are starting to suffer collateral damages from the infection and, after the already reported episode of the French navy computers, at the beginning of March Sophos revealed that during this month some legit domains would have suffered a sort of unintentional distributed denial of service (DDoS) attack caused by the worm’s remote communication feature.

Sophos made known the presence, within the daily lists of 250 pseudo-random domains generated by Conficker during the month of March, of domain names owned by organizations or companies that have nothing to do with malware writing. Among these there is the Texan airway Southwest Airlines, which other than domain southwest.com also owns the “alternative” resource wnsux.com pointing to the first address. Unfortunately for the company, such resource just matches one of those remote servers that the millions machines infected by Conficker are trying to contact in these days, waiting for instructions or a possible code update.

The botnet assaulted the domain on March 13, and if the company hadn’t prepared the right countermeasures after having been warned by Sophos it surely would have had to face serious issues for site access and functionality. Southwest Airlines suitably prevented resolution of an IP address for the blamed domain, now the next deadlines for Conficker DDoS “attacks” are scheduled for March 18 (qhflh.com, Women’s Net in Qinghai Province) and March 31 (praat.org, Praat: doing phonetics by computer).

Besides the effects of the domain names generation mechanism, anyway, according to data collected by company Arbor Networks it seems that Conficker proliferation have reached its peak and the number of unique infected IP addresses have halted at about 3 millions per day. The botnet does not grow anymore, but this state of things doesn’t prevent its puppeteers to try to manage zombie-PCs already under their control and, above all, to adequately reply to the “Conficker Cabal”, the plot planned by Microsoft and its allies to stop the malware run.

According to Symantec, contrariwise to the previous, alleged new variant Conficker B++, this time the authors have updated the worm for real and the last detected version, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before.

The first analyses on Downadup.C reveal that the worm continues to rely on the usual mechanisms for its proliferation (hence the MS08-067 flaw, removable drives and network shares), but it has also become much more aggressive by targeting processes of security and analysis software removing them from memory if found on the infected machine. The reply to Conficker Cabal has then become real with improvement of the algorithm for domain names lists creation, that now includes something like 50,000 different daily domains plus one of the 116 existing suffixes.

What are the objectives of the new update? “Authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines – Symantec writes – Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation“.

The number of infections doesn’t seem to have grown further, but the appearance of Downadup.C is particularly important because according to Symantec it represents “the first real case” of a successful communication between malware writers and the worm, that in return gets the new binary code to update the infection. Considering the somewhat scarce number of machines affected by the update, anyway, Symantec is currently unable to decide if it is a restricted test or the first phase of a broader strateg

y.

This post has been featured on Slashdot on March 16, 2009, producing on the blog a maximum daily peak of 4050 unique visitors and 5299 pageviews (source: LLOOGG).

Similar posts: