The estimated number of hosts infected with the Downadup or Conficker worm (otherwise known as Win32/Conficker.A (CA), Mal/Conficker-A (Sophos), Trojan.Win32.Agent.bccs (Kaspersky), and W32.Downadup.B (Symantec)) is several millions worldwide, and it is getting worse. The worm is designed to call back home and receive further instructions.

Propagation vector

Like other worms, the infected machine will scan the network looking for vulnerable machines, but this worm has other ways of propagation. It will scan the company network trying to guess passwords using hundreds of common words and then infect these machines. It will also try to infect removable USB sticks and propagate using the autorun.inf.

The worm will try four different scans that are repeated in an infinite loop. It will start scanning for machines on the same subnet, then machines it has successfully infected before, then machines nearby already infected machines, and finally randomly selected machines.

Once on a machine, the worm will disable many security services on the victim machine and will block access to some websites, such as Microsoft's site and most anti-virus sites. The worm is also capable of downloading a second-stage payload, which can be used to construct a massive botnet.

The early releases of the worm exposed infected machines to fake security software and earned the attacker $30 per sale.

Mcafee analysts discovered that the exploit used in this worm was made using Metasploit, which raises a concern about the security tools being used by the attackers.

The way the worm is calling home uses a new technique that involves a complicated algorithm that changes daily. The worm will generate many possible domain names every day and will try to connect to them. It is impossible to shut down all possible domains, because many of them are never registered. This gives the individuals who are controlling the worm the ability to select the time and domain they want to use to get control of the infected machines. F-Secure managed to play the same game and predict an un-registered domain name, which they used to control the worm.

Protection

• Patch your systems with MS08-067; the patch was released late October 2008
• Use long difficult passwords
• Disable the autorun feature:
  • http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true
  • http://www.us-cert.gov/cas/techalerts/TA09-020A.html

The MS Malicious Software Removal Kit is able to detect and clean the worm. F-Secure also has a disinfection tool.

Additional information

• http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
• http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx
• http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
• http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.AD&VSect=T
• https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/233
• http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html