[AfrICANN-discuss] Conficker/Downadup Evolves To Defend Itself

[Anne-Rachel Inné]

Conficker/Downadup Evolves To Defend Itself

Worm develops ability to disable antimalware tools, switch domains more
frequently

By Tim Wilson,  DarkReading <http://www.darkreading.com/>
March 12, 2009
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=215900041

 The enigmatic Conficker worm has evolved, adopting new capabilities that
make it more difficult than ever to find and eradicate, security researchers
say.

In a blog published late last
week<https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249>,
researchers at Symantec said they found "a completely new variant" of
Conficker, sometimes called Downadup, that is being pushed out to machines
previously infected with earlier versions of the worm.

The new variant, which Symantec calls W32.Downadup.C, appears to have
defensive capabilities that weren't present in earlier versions. While it
spreads in the same manner, "Conficker.C" can disable some of the tools used
to detect and eradicate it, including antivirus and other antimalware
detection tools.

W32.Downadup C also can switch domains at a much greater rate, Symantec
said. "The Downadup authors have now moved from a 250-a-day
domain-generation algorithm to a new 50,000-a-day domain generation
algorithm," the researchers reported. "The new domain generation algorithm
also uses one of a possible 116 domain suffixes."

A report from CA about
Conficker.C<http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976>confirms
Symantec's findings, although the CA researchers said the jump from
500 to 50,000 domains will not occur until April 1.

The ability to quickly switch domains will make it difficult for Internet
security organizations, such as ICANN and OpenDNS, to block the domains used
by the worm, industry experts note.

The new variant emerges just as some vendors have come out with tools they
say will eradicate the worm. Enigma Software today issued a new, free
tool<http://www.enigmasoftware.com/>that it says will remove
Conficker.A and Conficker.B from infected machines.
A spokesman says the company has begun work on the new variant. And
BitDefender also is offering a free tool <http://www.bdtools.net/> it says
will remove all variants of the worm.

Perhaps the most disconcerting aspect of the worm is that although it has
reportedly infected hundreds of thousands of machines, it does not, as yet,
seem to have a purpose. Although it has been contacting domains and
spreading itself through various means, security experts say it has yet to
be given a task -- such as distributing spam or launching a DDoS attack --
and researchers are still uncertain as to what it might be used for.

And some experts say there may be other exploits that behave like
Conficker/Downadup. "BitDefender Labs has been seeing an increase in worms,
like Downadup, that have a built-in mathematical algorithm, generating
strings based on the current date," says Vlad Valceanu, BitDefender's senior
malware analyst. "The worms then produce a fixed number of domain names on a
daily basis and check them for updates. This makes it easy for malware
writers and cybercriminals to upgrade a worm or give it a new payload, as
they only have to register one of the domains and then upload the files."

*Have a comment on this story? Please click "Discuss" below. If you'd like
to contact* Dark Reading's *editors directly, send us a
message<editors at darkreading.com>
*

 Copyright © 2007 CMP Media LLC <http://www.cmpnet.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090313/77efa139/attachment.htm