Skip to content
1-888-762-8736(M-F 8:00am-5:00pm CST)
1-877-218-7353(M-F 8:00am-5:00pm CST)
href="http://www.trendmicro.com/us/enterprise/index.html" id="ENT-overview-test2" title="SEE ALL ENTERPRISE SOLUTIONS">Enterprise Overview
Why is Conficker/DOWNAD still a persistent threat?
What is Conficker/DOWNAD?
Conficker/DOWNAD first reared its ugly head in the threat landscape in November 2008. The worm then took advantage of the Server Service aka MS08-067 Vulnerability that could, when exploited, lead to remote code execution. It affected systems running Windows 2000, XP, Server 2003, Vista, and Server 2008 via a specially crafted Remote Procedure Call (RPC) request.
Barely four months after its inception, Conficker/DOWNAD was reported
to have infected hundreds of thousands of systems worldwide in seconds.
This gave the worm the reputation of being one of the most notorious
malware to ever set foot in the threat landscape. In fact, more than two
years after its rise to infamy, its variants continue to infect
thousands of unpatched systems worldwide.
WORM_DOWNAD.A was the first iteration of this threat. This worm exploited the Server Service Vulnerability in various Windows OS
versions in order to propagate via network shares. A WORM_DOWNAD.A
infection was characterized by high port 445 traffic upon the successful
exploitation of the said vulnerability. Once installed, the worm
connected to a certain IP address to download an updated copy of itself.
WORM_DOWNAD.AD was notable because of its propagation technique, which was a three-pronged attack designed to exploit weak company security policies.
It first sent exploit packets for the vulnerability to every system on
the network and to several randomly selected targets over the Internet.
It then dropped a copy of itself into the Recycle Bin of all the
systems connected to an infected machine’s available removable and
network drives. Afterward, it created an obfuscated AUTORUN.INF
file on the drives so it could execute whenever a user browses an
infected network folder or removable drive. It then enumerated the
available servers on a network then, using this information, it gathered
a list of user accounts on connected systems. Finally, it ran a
dictionary attack against accounts using a predefined password list. If
successful, it dropped a copy of itself onto systems and used a
scheduled task to execute.
became known for its algorithm that could supposedly allow it to
generate a list of 50,000 different domains. Five hundred of these
domains would then be randomly selected so they could be contacted by
infected systems beginning April 1, 2009 to receive updated copies, new
malware components, or additional functional instructions. The
much-anticipated Conficker/DOWNAD attack, however, set for April 1,
2009, did not push through,
most probably due to the efforts exerted by the Conficker Working Group
with the aid of security researchers, ISPs, domain name registers, and
members of the academe.
WORM_DOWNAD.E piqued the security industry’s interest
because of an untrigger date—May 3, 2009—on which it would supposedly
stop running. The worm made use of random file and service names,
deleted the copies and components it dropped afterward, propagated via
the Server Service Vulnerability to external IPs if Internet
access was available but used local IP addresses if Internet access was
not available, opened random ports and served as an HTTP server by
broadcasting via SSDP requests, and connected to myspace.com, msn.com, ebay.com, cnn.com, and aol.com. It did not leave any trace of itself on the host system. It also tried to access a known WALEDAC domain aka goodnewsdigital.com to download yet another encrypted file named print.exe, which was verified to be a WALEDAC binary.
How does this threat affect users’ systems?
The Conficker/DOWNAD worm makes use of a domain generation algorithm
(DGA) to download other malware onto infected systems. It prevents user
access to antivirus-related sites and propagates via removable drives,
network shares, and peer-to-peer (P2P) networks. To continue spreading,
it drops an AUTORUN.INF file to automatically execute dropped copies whenever the infected drives are accessed.
How can users prevent Conficker/DOWNAD system infection?
To prevent Conficker/DOWNAD infection, users are advised to do the following:
Since Conficker/DOWNAD variants propagate via network shares, it would do system administrators well to do the following:
System administrators may also find the information on the following Microsoft Support pages useful:
How can users tell if their systems have been infected?
The telltale signs of a Conficker/DOWNAD infection include the following:
Does the threat put affected users’ credentials at risk?
Though there has been no evidence that Conficker/DOWNAD variants sent
any kind of sensitive information to any site, the files these download
could possibly manifest information theft routines.
Can an infected system on a network put other machines or the entire network at risk?
Yes, an infected system can put other machines or even the entire
network it is connected to at risk, as Conficker/DOWNAD variants can
spread via network shares.
How can users get rid of Conficker/DOWNAD system infections?
Since Conficker/DOWNAD variants can block access to certain
antivirus-related sites, affected users can disable their systems’
Domain Name System (DNS) Client Service feature to prevent propagation
and to rid their machines of the malware. To do this, users must open a
command prompt and type net stop dnscache.
Affected users would also do well to download our latest pattern from this page. They may also download, extract, and run the fixtool that we specifically created for this malware from this page.
Finally, they should patch their systems with the latest Microsoft
updates or at least download the specific patch that addresses the
vulnerability that this malware exploits from this page.
How can users prevent Conficker/DOWNAD system reinfection?
To prevent system reinfection, it is extremely important for users to
keep their patch levels updated. Trend Micro product users should also
keep their security solutions updated, as these block access to sites
where Conficker/DOWNAD variants may be hosted with the help of the Smart
Protection Network’s Web reputation technology. File reputation
technology also prevents the download and execution of Conficker/DOWNAD
variants on users’ systems.
For further protection, users may also download our Conficker/DOWNAD immunity tool from this page.
Users who do not use Trend Micro or other security solutions can also
help mitigate the risks that Conficker/DOWNAD variants pose by using HouseCall,
our highly popular and capable on-demand scanner for identifying and
removing viruses, Trojans, worms, unwanted browser plug-ins, and other
Malware Blog Entries
For more details on various Conficker/DOWNAD-related threats, read the following blog posts:
For a more in-depth discussion of the Conficker/DOWNAD threat, take a look at “DOWNAD/Conficker: The Case of the ‘Missing’ Malware.”
From the Field: Expert Insights
“I think bot herders are refreshing their bot networks with new machines through this new exploit.”
— Senior threat researcher Ryan Flores on WORM_DOWNAD.A
“Conficker/DOWNAD-infected hosts can be found in service provider
networks in the United States, China, India, the Middle East, Europe,
and Latin America though several residential broadband service providers
had a larger number of infected customers.”
— Senior threat researcher Ivan Macalintal on WORM_DOWNAD.A
“Remember, even one unpatched machine is enough to have this worm
spread through the entire network. Patch management is a critical
component of any IT department’s job today and it is vitally important
that it is applied in a timely fashion across all of the company’s
machines, including laptops and other mobile devices. Companies also
need to have very clear policies on patch levels of external parties who
access their network. Like so many aspects of security, it only takes
one hole to bring down an entire network.”
— Senior threat researcher Robert McArdle on how to avoid Conficker/DOWNAD infection
"Conficker/DOWNAD became one of 2008's most notorious malware because of its ability to exploit a Windows
system vulnerability—still a pretty new concept at that time. Though
Microsoft has already fixed this issue, users should keep in mind that
at any time, another loophole could be exposed and more sophisticated
malware like the STUXNET worm could emerge. It is therefore crucial to
habitually patch your systems and still be careful when surfing the Web
or when clicking links leading to unknown sites. Remember that any
system is just as strong as its weakest link."
—Threat response engineer Erika Mendoza on Conficker/DOWNAD's success and persistence
Connect with us on
| | | |