The authors of the latest variant of the Downadup worm are upping the ante against security vendors who are working to stop the spread and threat of the persistent program.
Downadup shuts down security services, blocks computers from connecting to security websites, and downloads a Trojan. It also is programmed to begin connecting to 50,000 different domains on 1 April to receive updated copies or other malware, as opposed to connecting to 250 domains a day as previous versions are doing, Ben Greenbaum, senior research manager for Symantec Security Response, said on Friday.
The authors of the code are "strengthening their hold on their collection of infected machines at the same time they are attempting to strengthen their ability to control those machines by moving to 50,000 domains," he said.
A self-described "cabal" of companies, including Microsoft, Symantec and a host of domain-registration providers, have been trying to thwart the efforts of Downadup by pre-registering and locking up the domain names being used by the worm to distribute updates.
Now that Downadup is targeting 50,000 domains, the group has its work cut out for it, Greenbaum said. Regardless, "it's unknown at this point whether [boosting the domains] is an effective sidestep around the cabal's actions," he said.
The worm, also called Kido or Conficker, was first detected in November and is believed to have infected more than 10,000 computers. The first two versions exploit a vulnerability that Microsoft patched in October.
A second variant, Conficker.B, was detected last month. It added the ability to spread through network shares and via removable storage devices, such as USB drives, through the AutoRun function in Windows.
Among the domains targeted by Downadup was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on Friday, Sophos said last week. However, a Southwest spokesman said there had been no impact to the site from any additional traffic as a result of Downadup.
Experts are urging computer users to apply the Microsoft patch and update their antivirus software. And this week, Enigma Software Group and BitDefender announced free Downadup-removal tools.
Conficker has proved to be such a nuisance that Microsoft has even offered a $250,000 (£180,000) reward for information leading to an arrest in the Downadup case.
Symantec has more technical and historical details on Downadup on its website.
Talkback
Well there are removal tools that still aren't detected and sites that haven't been black-listed until now. One of them is http://bdtools.net that I see now is being redirected to http://downadup.org
I used that tool on an infected station I had and had no problems removing it. I see that this new site has got some other tool for networks, has anyone used it?
One statement in the report, that I would like to point out is:
A second variant, Conficker.B, was detected last month. It added the ability to spread through network shares and via removable storage devices, such as USB drives, through the AutoRun function in Windows.
This is very important and catching out a lot of organisations who have blocked the conficker outbound communications at the firewall, but have overlooked its enhanced ability which is to spread via USB drives.
Also, a built-in password cracker made it easy work to open shares that did not use strong authentication which helped to accelerate the spread of Conficker B.
Of course, installation of the microsoft patch MS08-067, issued on 23 October 2008, would have provided the remediation step necessary to prevent this malware from causing chaos.
One fact that should not be ignored is the need to keep your computers current, regardless of the operating system. Patching vulnerabilities as they emerge is a fundamental step in your defence against malware. Also note that applications are just as vulnerable as the operating systems they run on, and 60% of all exploited vulnerabilities are due to insecure configurations. Whether you’re operating a single-OS platform or manage a heterogeneous environment, it’s important and usually more time- and cost-effective to choose a patch management approach that addresses multiple platforms and applications at the same time.
One action to prevent the spread of CONFICKER.C on WEDS this week is to turn off the AUTOPLAY feature..........
On non-Home versions of Windows (for example, Windows XP Professional, Vista Ultimate):
1. Click Start, click Run, enter gpedit.msc (launch Group Policy Editor);
2. XP users: Open Computer Configuration | Administrative Templates | System,
Vista users: Open Computer Configuration | Windows Components | AutoPlay Policies;
3. Find Turn Off AutoPlay in the right-hand pane and double-click it;
4. Choose Enabled and set it for All drives.
Or, in any Windows version:
1. Launch the Registry editor (Start | Run | regedit);
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer;
3. Double-click NoDriveTypeAutoRun in the right-hand pane and set its value to hexadecimal FF.