What Will Go DOWNAD on April 1?

31Mar2009 Filed under: TrendLabs Author: admin

Much has been said about the DOWNAD worm (a.k.a. Conficker) and its enigmatic payload that will supposedly be unleashed on April 1st. There are two days to go until the moment of truth and the hype isn’t expected to die down. But online threat history tells us that trigger/activation dates of equally hyped malware have come and gone without much fanfare. Whether or not April 1 will play out to be D-Day indeed, the security industry will be keeping an eye out for any malicious activity—like it should.

What we do know at this point is that the latest variant, which we detect as WORM_DOWNAD.KK (first detected on March 4, 2009), includes an algorithm to generate a list of 50,000 different domains. Five hundred (500) of these will be randomly selected to be contacted by infected PCs beginning April 1, 2009 to receive updated copies, new malware components, or additional functional instructions.

Figure 1. Routines that WORM_DOWNAD.KK will start performing beginning 1 April 2009

Trend Micro is part of the Conficker Working Group, also called the Conficker Cabal. As part of this group, we must continue to set straight misconceptions surrounding DOWNAD/Conficker and what it’s set to do on the anticipated date. Allow us to reiterate some facts:

Q: What will happen on April 1, 2009?
A: Based on our collective technical analysis, we’ve determined that systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. We have
not identified any other actions scheduled to take place on April 1, 2009.

Q: Will an updated version of Conficker go out to already-infected systems on April 1?
A: It is possible that systems with the latest version of Conficker will be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could
be updated on any date before or after April 1 as well using the “peer- to-peer” updating channel in the latest version of Conficker.

Q: Should the general public be alarmed? Why or why not?
A: No, the general public should not be alarmed. Most home users have been protected by Microsoft Security Update MS08-067 being applied automatically.

Q: Are there any other changes in the latest version of Conficker?
A: The latest version of Conficker also introduces a new “peer-to-peer” (P2P) updating capability. This capability could enable a system infected by the latest version of Conficker to receive a new version or
new instructions by contacting another system infected by Conficker rather than by contacting a domain determined by the domain generation algorithm.

Q: We hear talk of an impending second phase of attacks from Conficker. What do you anticipate happening next?
A: There may be a second phase of the threat at some point in time. However, we believe that with a situation like this—which has similarly taken place many times in the past—and given the tremendous
amount of attention that this worm has received, as well as industry and law enforcement monitoring, these efforts will be a deterrent to a large second wave of attacks. At the end of the day, we can’t
speculate on the intentions of criminals, but what we can do is work to limit the impact of any second phase.

Q: Why does Conficker continue to spread even though Microsoft issued the update in October?
A: There is always some percentage of customers who don’t apply an update at any given time, due to a variety of reasons. While most home users have been protected by the patch being applied automatically, once the worm gets a foothold inside an enterprise, it’s difficult to remove and this is where people are having problems.

Q: Why is Conficker using domain names? Is this a new trend?
A: It is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend.

Q: What is the Conficker Working Group doing about this new algorithm?
A: The Conficker Working Group has been working continuously to block access to domains that systems infected by Conficker attempt to contact. We are continuing this work and have expanded this effort to include those domains that will be contacted by the latest version of Conficker starting on April 1, 2009.

Q: What should people who are worried about April 1 and Conficker do?
A: We recommend that home users who have not yet enabled automatic updates do so and ensure their security software is up to date with the latest signatures.

We recommend that enterprises continue to focus on the guidance from experts in industry, academia and governments worldwide and continue to deploy the security update MS08-067, ensure their security software have the latest signatures, clean any systems that are infected with any version of Conficker using the tools and guidance we’ve provided, and evaluate additional security best practices in accordance with their organizations policies and procedures.

Q: We’ve seen some reports that this worm blocks people from receiving updates, including antivirus updates. Are you seeing this and what are you doing about it?
A: Yes. Often malware attacks use a variety of tactics to remain on the system and undetected. We continue to encourage to visit Trend Micro’s Online Virus and Spyware Scanner—HouseCall—and run the HouseCall online scanner 4 to check for and remove any malware.