Why is Conficker/DOWNAD still a persistent threat?

Conficker/DOWNAD became a huge threat back in its heyday because it explored a Windows vulnerability and of its various proliferation techniques. This is scary in that each year, the vulnerability landscape becomes increasingly threatening. Though the number of vulnerabilities in 2010 dwindled, they can never be completely eliminated due to the complexity of modern programs. The fact that Windows is still the most widely used OS to date does not help either. Trend Micro senior security researcher Abhishek Bhuyan, in fact, believed that even at the close of 2010, the Conficker/DOWNAD threat still existed.

Based on October–December 2010 Trend Micro™ Smart Protection Network™ data, almost 30,000 systems worldwide were infected by various Conficker/DOWNAD variants. The top 3 Conficker/DOWNAD-stricken countries were the United States with 5,401 infected systems, India with 4,557 systems, and Brazil with 2,953 systems.

In 2011, Trend Micro security experts believe that the exploitation of vulnerabilities can only get worse, as cybercriminals will not only target systems that use the most popular OSs, applications, and Web browsers but also those that use their alternatives. This just reiterates the importance of patching software that can go a long way in protecting users' systems and networks from threats like Conficker/DOWNAD.

What is Conficker/DOWNAD?

Conficker/DOWNAD first reared its ugly head in the threat landscape in November 2008. The worm then took advantage of the Server Service aka MS08-067 Vulnerability that could, when exploited, lead to remote code execution. It affected systems running Windows 2000, XP, Server 2003, Vista, and Server 2008 via a specially crafted Remote Procedure Call (RPC) request.

Barely four months after its inception, Conficker/DOWNAD was reported to have infected hundreds of thousands of systems worldwide in seconds. This gave the worm the reputation of being one of the most notorious malware to ever set foot in the threat landscape. In fact, more than two years after its rise to infamy, its variants continue to infect thousands of unpatched systems worldwide.

The most notable Conficker/DOWNAD variants that Trend Micro has come across and that continue to plague users even now include the following:

  • WORM_DOWNAD.A
  • WORM_DOWNAD.AD
  • WORM_DOWNAD.KK
  • WORM_DOWNAD.E

WORM_DOWNAD.A

WORM_DOWNAD.A was the first iteration of this threat. This worm exploited the Server Service Vulnerability in various Windows OS versions in order to propagate via network shares. A WORM_DOWNAD.A infection was characterized by high port 445 traffic upon the successful exploitation of the said vulnerability. Once installed, the worm connected to a certain IP address to download an updated copy of itself.

WORM_DOWNAD.AD

WORM_DOWNAD.AD was notable because of its propagation technique, which was a three-pronged attack designed to exploit weak company security policies. It first sent exploit packets for the vulnerability to every system on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself into the Recycle Bin of all the systems connected to an infected machine’s available removable and network drives. Afterward, it created an obfuscated AUTORUN.INF file on the drives so it could execute whenever a user browses an infected network folder or removable drive. It then enumerated the available servers on a network then, using this information, it gathered a list of user accounts on connected systems. Finally, it ran a dictionary attack against accounts using a predefined password list. If successful, it dropped a copy of itself onto systems and used a scheduled task to execute.

WORM_DOWNAD.KK

WORM_DOWNAD.KK became known for its algorithm that could supposedly allow it to generate a list of 50,000 different domains. Five hundred of these domains would then be randomly selected so they could be contacted by infected systems beginning April 1, 2009 to receive updated copies, new malware components, or additional functional instructions. The much-anticipated Conficker/DOWNAD attack, however, set for April 1, 2009, did not push through, most probably due to the efforts exerted by the Conficker Working Group with the aid of security researchers, ISPs, domain name registers, and members of the academe.

WORM_DOWNAD.E

WORM_DOWNAD.E piqued the security industry’s interest because of an untrigger date—May 3, 2009—on which it would supposedly stop running. The worm made use of random file and service names, deleted the copies and components it dropped afterward, propagated via the Server Service Vulnerability to external IPs if Internet access was available but used local IP addresses if Internet access was not available, opened random ports and served as an HTTP server by broadcasting via SSDP requests, and connected to myspace.com, msn.com, ebay.com, cnn.com, and aol.com. It did not leave any trace of itself on the host system. It also tried to access a known WALEDAC domain aka goodnewsdigital.com to download yet another encrypted file named print.exe, which was verified to be a WALEDAC binary.

How does this threat affect users’ systems?

The Conficker/DOWNAD worm makes use of a domain generation algorithm (DGA) to download other malware onto infected systems. It prevents user access to antivirus-related sites and propagates via removable drives, network shares, and peer-to-peer (P2P) networks. To continue spreading, it drops an AUTORUN.INF file to automatically execute dropped copies whenever the infected drives are accessed.

How can users prevent Conficker/DOWNAD system infection?

To prevent Conficker/DOWNAD infection, users are advised to do the following:

  • Immediately install security patches as soon as vendors release them.
  • Disable the Autorun feature on USB drives, particularly in WORM_DOWNAD.AD’s case.

Since Conficker/DOWNAD variants propagate via network shares, it would do system administrators well to do the following:

  • Require users to use complex passwords on their workstations to prevent brute-force password attacks via scheduled tasks.
  • Limit user access to network shares.

System administrators may also find the information on the following Microsoft Support pages useful:

How can users tell if their systems have been infected?

The telltale signs of a Conficker/DOWNAD infection include the following:

  • High port 445 traffic
  • Presence of randomly named entries for netsvcs in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost
  • Subsequent connection to various URLs
  • Existence of an AUTORUN.INF file on drives
  • Existence of a file named x in the system directory
  • Existence of an unknown scheduled task

Does the threat put affected users’ credentials at risk?

Though there has been no evidence that Conficker/DOWNAD variants sent any kind of sensitive information to any site, the files these download could possibly manifest information theft routines.

Can an infected system on a network put other machines or the entire network at risk?

Yes, an infected system can put other machines or even the entire network it is connected to at risk, as Conficker/DOWNAD variants can spread via network shares.

How can users get rid of Conficker/DOWNAD system infections?

Since Conficker/DOWNAD variants can block access to certain antivirus-related sites, affected users can disable their systems' Domain Name System (DNS) Client Service feature to prevent propagation and to rid their machines of the malware. To do this, users must open a command prompt and type net stop dnscache.

Affected users would also do well to download our latest pattern from this page. They may also download, extract, and run the fixtool that we specifically created for this malware from this page. Finally, they should patch their systems with the latest Microsoft updates or at least download the specific patch that addresses the vulnerability that this malware exploits from this page.

Trend Micro OfficeScan users are also urged to use the following features to protect from WORM_DOWNAD malware:

Enabling Device Access Control

  1. Open the OfficeScan web console.
  2. In the left panel, click Networked Computers to expand its list of contents.
  3. Click Client Management to open the user interface found in the right panel.
  4. In the right panel, click Setting and choose Device Control Settings from the dropdown list.
  5. Click Enable Device Control then Block Autorun function on USB devices after setting your desired permissions.
  6. At the bottom of the window, click Apply to All Clients.

Enabling USB Autoscan

For Trend Micro OfficeScan 10.6 SP1 and later, enable this Trend Micro OfficeScan feature, please refer to the following eSupport page:

Enabling Scan Network Drive

  1. Still in the OfficeScan web console, in the left panel, click Networked Computers to expand its list of contents.
  2. Click Client Management to open user interface on the right panel.
  3. In the right panel, click Settings and select Scan Settings>Real-time Scan Settings.
  4. In Scan Settings, check Scan network drive.
  5. At the bottom of the window, click Apply to All Clients.

Enabling Web Reputation Service

  1. Still in the OfficeScan web console, in the left panel, click Networked Computers.
  2. Click Client Management to open user interface on the right panel.
  3. In the right panel, click Settings, then choose Web Reputation Settings from the dropdown list. This opens a new window where you can configure the Web Reputation service settings.
  4. Check Enable Web reputation policy on the following operation systems.
  5. At the bottom of the window, click Apply to All.

Enabling Firewall Feature

  1. Still in the OfficeScan web console, in the left panel, click Networked Computers.
  2. Click Client Management to open user interface on the right panel.
  3. In the right panel, click Settings, then choose Additional Service Settings from the dropdown list. This opens a new window where you can enable firewall service.
  4. Check Enable service ion the following operating systems.
  5. At the bottom of the window, click Apply to All Clients.

Trend Micro OfficeScan users may also install and configure the Intrusion Defense Firewall (IDF) plugin to further prevent WORM_DOWNAD infections.

Configuring IDF to Protect from DOWNAD infections

  1. Right-click Selected Computer Group>Actions>Deploy Client Plug-in(s).
  2. Create a Security Profile. Select Security Profiles in the IDF console. Right-click Windows Workstation Profile then select Duplicate. Then you may rename the Security Profile.
    Note: Skip this step if there is an existing IDF profile.
  3. Disable the IDF firewall to preserve the Officescan Firewall. In the Security Profile Window, select Firewall and uncheck Inherit. Then select Off.
  4. Enable corresponding IDF rules by doing the following:
    • Select Deep Packet Inspection and uncheck Inherit, then Select On and Prevent.

    • Under DPI rules, select IDS/IPS. In the upper right corner, type in CVE-2008-4250 and press Enter.

    • Wait for the relevant IDF rules to be found and check all IDF rules, then click Save.
  5. Assign the security profile to the select computer group by doing the following:
    • Right-click on Computer Group>Actions>Assign Security Profile.

    • Select the newly created Security Profile, then click OK.
  6. To check if the IDF plugin was properly configured, Select a machine inside the selected Computer Group. The expected status are the following: Managed (Online), Firewall: Off, DPI: Prevent, 4 rules.

How can users prevent Conficker/DOWNAD system reinfection?

To prevent system reinfection, it is extremely important for users to keep their patch levels updated. Trend Micro product users should also keep their security solutions updated, as these block access to sites where Conficker/DOWNAD variants may be hosted with the help of the Smart Protection Network Web reputation technology. File reputation technology also prevents the download and execution of Conficker/DOWNAD variants on users' systems.

For further protection, users may also download our Conficker/DOWNAD immunity tool from this page.

Free Tools

Users who do not use Trend Micro or other security solutions can also help mitigate the risks that Conficker/DOWNAD variants pose by using HouseCall, our highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plug-ins, and other malware.

From the Field: Expert Insights

“I think bot herders are refreshing their bot networks with new machines through this new exploit.”

— Senior threat researcher Ryan Flores on
WORM_DOWNAD.A

“Conficker/DOWNAD-infected hosts can be found in service provider networks in the United States, China, India, the Middle East, Europe, and Latin America though several residential broadband service providers had a larger number of infected customers.”

— Senior threat researcher Ivan Macalintal on
WORM_DOWNAD.A

“Remember, even one unpatched machine is enough to have this worm spread through the entire network. Patch management is a critical component of any IT department’s job today and it is vitally important that it is applied in a timely fashion across all of the company’s machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network. Like so many aspects of security, it only takes one hole to bring down an entire network.”

— Senior threat researcher Robert McArdle on
how to avoid Conficker/DOWNAD infection

"Conficker/DOWNAD became one of 2008's most notorious malware because of its ability to exploit a Windows system vulnerability—still a pretty new concept at that time. Though Microsoft has already fixed this issue, users should keep in mind that at any time, another loophole could be exposed and more sophisticated malware like the STUXNET worm could emerge. It is therefore crucial to habitually patch your systems and still be careful when surfing the Web or when clicking links leading to unknown sites. Remember that any system is just as strong as its weakest link."

—Threat response engineer Erika Mendoza on
Conficker/DOWNAD's success and persistence