<p>
<font size="5">Conficker/Downadup Evolves To Defend Itself</font>
</p><p>
<font size="4">Worm develops ability to disable antimalware tools, switch domains more frequently</font><br>
</p><p>
<font size="2" face="geneva,arial,helvetica">By
Tim Wilson,
<a href="http://www.darkreading.com/" target="_blank">
DarkReading
</a>
<br>
March 12, 2009
<br>
URL:<a href="http://www.darkreading.com/story/showArticle.jhtml?articleID=215900041">http://www.darkreading.com/story/showArticle.jhtml?articleID=215900041</a><br><br>
</font>
</p><p>
The enigmatic Conficker worm has evolved, adopting new capabilities
that make it more difficult than ever to find and eradicate, security
researchers say.
</p><p>
In a <a href="https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249" target="new">blog published late last week</a>,
researchers at Symantec said they found "a completely new variant" of
Conficker, sometimes called Downadup, that is being pushed out to
machines previously infected with earlier versions of the worm.
</p><p>The new variant, which Symantec calls W32.Downadup.C, appears
to have defensive capabilities that weren't present in earlier
versions. While it spreads in the same manner, "Conficker.C" can
disable some of the tools used to detect and eradicate it, including
antivirus and other antimalware detection tools.
</p><p>W32.Downadup C also can switch domains at a much greater rate,
Symantec said. "The Downadup authors have now moved from a 250-a-day
domain-generation algorithm to a new 50,000-a-day domain generation
algorithm," the researchers reported. "The new domain generation
algorithm also uses one of a possible 116 domain suffixes."
</p><p>
A <a href="http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976" target="new">report from CA about Conficker.C</a>
confirms Symantec's findings, although the CA researchers said the jump
from 500 to 50,000 domains will not occur until April 1.
</p><p>The ability to quickly switch domains will make it difficult
for Internet security organizations, such as ICANN and OpenDNS, to
block the domains used by the worm, industry experts note. </p><p>
The new variant emerges just as some vendors have come out with tools they say will eradicate the worm. Enigma Software <a href="http://www.enigmasoftware.com/" target="new">today issued a new, free tool</a>
that it says will remove Conficker.A and Conficker.B from infected
machines. A spokesman says the company has begun work on the new
variant. And BitDefender also is offering a <a href="http://www.bdtools.net/" target="new">free tool</a> it says will remove all variants of the worm.
</p><p>
Perhaps the most disconcerting aspect of the worm is that although it
has reportedly infected hundreds of thousands of machines, it does not,
as yet, seem to have a purpose. Although it has been contacting domains
and spreading itself through various means, security experts say it has
yet to be given a task -- such as distributing spam or launching a DDoS
attack -- and researchers are still uncertain as to what it might be
used for.
</p><p>And some experts say there may be other exploits that behave
like Conficker/Downadup. "BitDefender Labs has been seeing an increase
in worms, like Downadup, that have a built-in mathematical algorithm,
generating strings based on the current date," says Vlad Valceanu,
BitDefender's senior malware analyst. "The worms then produce a fixed
number of domain names on a daily basis and check them for updates.
This makes it easy for malware writers and cybercriminals to upgrade a
worm or give it a new payload, as they only have to register one of the
domains and then upload the files."
</p><p>
<i>Have a comment on this story? Please click "Discuss" below. If you'd like to contact</i> Dark Reading's <i>editors directly, <a href="mailto:editors@darkreading.com">send us a message</a></i>
</p><p>
</p><p>
<font size="1" face="geneva,ms sans serif,helvetica">Copyright © 2007 <a href="http://www.cmpnet.com/">CMP Media LLC</a></font>
</p>